From 403ab34f37ba4ec32e5b5d414347d72d3bd9c851 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 18:10:18 +0000 Subject: [PATCH] import UBI ghostscript-10.02.1-16.el10_0 --- .ghostscript.metadata | 1 - .gitignore | 2 +- ...st-to-void-to-avoid-compiler-warning.patch | 25 + ...nds-checks-when-using-CIDFont-relate.patch | 76 +++ ...-allow-PDF-files-with-bad-Filters-to.patch | 46 ++ ...707510-don-t-use-strlen-on-passwords.patch | 46 ++ ...g-707510-review-printing-of-pointers.patch | 430 +++++++++++++++ 0001-Bug-707686.patch | 94 ++++ 0001-Bug-707691.patch | 43 ++ ...ecode_utf8-to-forbid-overlong-encodi.patch | 29 +- ...-for-overflow-validating-format-stri.patch | 0 ...-integer-overflow-leading-to-buffer-.patch | 41 ++ ...ent-unsafe-parameter-change-with-SAF.patch | 26 + ...sanitise-W-array-values-in-Xref-stre.patch | 62 +++ ...heck-the-type-of-the-Pattern-Impleme.patch | 0 ...-interpreter-fix-buffer-length-check.patch | 36 ++ ...prevent-string-configuration-changes.patch | 79 +++ 0001-X-device-fix-compiler-warning.patch | 60 +++ ...568-Fix-gdevpx.c-RLE-stream-handling.patch | 64 --- ...g-701568-followup-Fix-RLE-compressor.patch | 118 ---- ...-output-buffer-size-worst-case-in-lp.patch | 31 -- ...mitEOD-flag-to-RLE-compressor-and-us.patch | 101 ---- ...hostscript-s-encoding-decoding-of-UT.patch | 239 -------- ...-interpreter-fix-buffer-length-check.patch | 13 - ...tscript-9.23-100-run-dvipdf-securely.patch | 22 - SOURCES/ghostscript-9.27-CVE-2023-28879.patch | 44 -- SOURCES/ghostscript-9.27-CVE-2023-38559.patch | 27 - SOURCES/ghostscript-9.27-CVE-2023-4042.patch | 28 - ...rent-VM-modes-during-CIDFont-loading.patch | 88 --- ...ver-does-not-set-page-size-correctly.patch | 22 - ...9.27-avoid-divide-by-zero-in-devices.patch | 88 --- SOURCES/ghostscript-9.27-fix-bbox.patch | 63 --- ...hostscript-9.27-fix-use-of-HWMargins.patch | 16 - ...ite-Substituted-TTF-CIDFont-CID-hand.patch | 106 ---- SOURCES/ghostscript-cve-2019-10216.patch | 43 -- ...ostscript-cve-2019-14811-14812-14813.patch | 56 -- SOURCES/ghostscript-cve-2019-14817.patch | 189 ------- SOURCES/ghostscript-cve-2020-16290.patch | 18 - SOURCES/ghostscript-cve-2020-16291.patch | 257 --------- SOURCES/ghostscript-cve-2020-16293.patch | 13 - SOURCES/ghostscript-cve-2020-16295.patch | 13 - SOURCES/ghostscript-cve-2020-16299.patch | 58 -- SOURCES/ghostscript-cve-2020-16301.patch | 75 --- SOURCES/ghostscript-cve-2020-16302.patch | 228 -------- SOURCES/ghostscript-cve-2020-16304.patch | 77 --- SOURCES/ghostscript-cve-2020-16306.patch | 20 - SOURCES/ghostscript-cve-2020-16307.patch | 205 ------- SOURCES/ghostscript-cve-2020-16310.patch | 57 -- SOURCES/gs-CVE-2023-46751.patch | 12 - SOURCES/gs-cve-2024-33871.patch | 154 ------ ...-10.02.1-PostScript-Fix-selectdevice.patch | 33 ++ ...needs-to-countdown-the-device-on-tex.patch | 31 ++ SPECS/ghostscript.spec => ghostscript.spec | 510 +++++++++++------- sources | 1 + 54 files changed, 1462 insertions(+), 2754 deletions(-) delete mode 100644 .ghostscript.metadata create mode 100644 0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch create mode 100644 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch create mode 100644 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch create mode 100644 0001-Bug-707510-don-t-use-strlen-on-passwords.patch create mode 100644 0001-Bug-707510-review-printing-of-pointers.patch create mode 100644 0001-Bug-707686.patch create mode 100644 0001-Bug-707691.patch rename SOURCES/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch => 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch (64%) rename SOURCES/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch => 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch (100%) create mode 100644 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch create mode 100644 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch create mode 100644 0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch rename SOURCES/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch => 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch (100%) create mode 100644 0001-PostScript-interpreter-fix-buffer-length-check.patch create mode 100644 0001-Uniprint-device-prevent-string-configuration-changes.patch create mode 100644 0001-X-device-fix-compiler-warning.patch delete mode 100644 SOURCES/0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch delete mode 100644 SOURCES/0001-Bug-701568-followup-Fix-RLE-compressor.patch delete mode 100644 SOURCES/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch delete mode 100644 SOURCES/0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch delete mode 100644 SOURCES/0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch delete mode 100644 SOURCES/0001-PostScript-interpreter-fix-buffer-length-check.patch delete mode 100644 SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch delete mode 100644 SOURCES/ghostscript-9.27-CVE-2023-28879.patch delete mode 100644 SOURCES/ghostscript-9.27-CVE-2023-38559.patch delete mode 100644 SOURCES/ghostscript-9.27-CVE-2023-4042.patch delete mode 100644 SOURCES/ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch delete mode 100644 SOURCES/ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch delete mode 100644 SOURCES/ghostscript-9.27-avoid-divide-by-zero-in-devices.patch delete mode 100644 SOURCES/ghostscript-9.27-fix-bbox.patch delete mode 100644 SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch delete mode 100644 SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch delete mode 100644 SOURCES/ghostscript-cve-2019-10216.patch delete mode 100644 SOURCES/ghostscript-cve-2019-14811-14812-14813.patch delete mode 100644 SOURCES/ghostscript-cve-2019-14817.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16290.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16291.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16293.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16295.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16299.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16301.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16302.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16304.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16306.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16307.patch delete mode 100644 SOURCES/ghostscript-cve-2020-16310.patch delete mode 100644 SOURCES/gs-CVE-2023-46751.patch delete mode 100644 SOURCES/gs-cve-2024-33871.patch create mode 100644 ghostscript-10.02.1-PostScript-Fix-selectdevice.patch create mode 100644 ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch rename SPECS/ghostscript.spec => ghostscript.spec (80%) create mode 100644 sources diff --git a/.ghostscript.metadata b/.ghostscript.metadata deleted file mode 100644 index d933efd..0000000 --- a/.ghostscript.metadata +++ /dev/null @@ -1 +0,0 @@ -f926d2cfb418a7c5d92dce0a9843fa01ee62fe2c SOURCES/ghostscript-9.27.tar.xz diff --git a/.gitignore b/.gitignore index 259c4ed..aea2f37 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ghostscript-9.27.tar.xz +ghostscript-10.02.1.tar.xz diff --git a/0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch b/0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch new file mode 100644 index 0000000..4fcd14a --- /dev/null +++ b/0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch @@ -0,0 +1,25 @@ +From b7beb19ad06e08b889a44694ff813ed5f6c96da4 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 14 Sep 2023 09:01:43 +0100 +Subject: [PATCH] Bug 707130: Cast to void ** to avoid compiler warning + +--- + base/fapi_ft.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/fapi_ft.c b/base/fapi_ft.c +index ccd629757..fc185bfd7 100644 +--- a/base/fapi_ft.c ++++ b/base/fapi_ft.c +@@ -1280,7 +1280,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_server * a_server, gs_fapi_font * a_font, + + if (a_font->retrieve_tt_font != NULL) { + unsigned int ms; +- code = a_font->retrieve_tt_font(a_font, &own_font_data, &ms); ++ code = a_font->retrieve_tt_font(a_font, (void **)&own_font_data, &ms); + if (code == 0) { + data_owned = false; + open_args.memory_base = own_font_data; +-- +2.43.0 + diff --git a/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch b/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch new file mode 100644 index 0000000..f8df7d9 --- /dev/null +++ b/0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch @@ -0,0 +1,76 @@ +diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c +index 5f82b7f..6819cb7 100644 +--- a/pdf/pdf_font.c ++++ b/pdf/pdf_font.c +@@ -297,22 +297,55 @@ pdfi_open_CIDFont_substitute_file(pdf_context *ctx, pdf_dict *font_dict, pdf_dic + memcpy(fontfname, fsprefix, fsprefixlen); + } + else { +- memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size); +- fsprefixlen = ctx->args.cidfsubstpath.size; ++ if (ctx->args.cidfsubstpath.size + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstPath parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname, fsprefix, fsprefixlen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidfsubstpath.data, ctx->args.cidfsubstpath.size); ++ fsprefixlen = ctx->args.cidfsubstpath.size; ++ } + } + + if (ctx->args.cidfsubstfont.data == NULL) { + int len = 0; +- if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0 && len + fsprefixlen + 1 < gp_file_name_sizeof) { +- (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ if (gp_getenv("CIDFSUBSTFONT", (char *)0, &len) < 0) { ++ if (len + fsprefixlen + 1 > gp_file_name_sizeof) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSUBSTFONT environment variable too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ (void)gp_getenv("CIDFSUBSTFONT", (char *)(fontfname + fsprefixlen), &defcidfallacklen); ++ } + } + else { + memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); + } + } + else { +- memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size); +- defcidfallacklen = ctx->args.cidfsubstfont.size; ++ if (ctx->args.cidfsubstfont.size > gp_file_name_sizeof - 1) { ++ code = gs_note_error(gs_error_rangecheck); ++ pdfi_set_warning(ctx, code, NULL, W_PDF_BAD_CONFIG, "pdfi_open_CIDFont_substitute_file", "CIDFSubstFont parameter too long"); ++ if (ctx->args.pdfstoponwarning != 0) { ++ goto exit; ++ } ++ code = 0; ++ memcpy(fontfname + fsprefixlen, defcidfallack, defcidfallacklen); ++ } ++ else { ++ memcpy(fontfname, ctx->args.cidfsubstfont.data, ctx->args.cidfsubstfont.size); ++ defcidfallacklen = ctx->args.cidfsubstfont.size; ++ } + } + fontfname[fsprefixlen + defcidfallacklen] = '\0'; + +diff --git a/pdf/pdf_warnings.h b/pdf/pdf_warnings.h +index 6402d8f..d1e0019 100644 +--- a/pdf/pdf_warnings.h ++++ b/pdf/pdf_warnings.h +@@ -97,4 +97,5 @@ PARAM(W_PDF_MISMATCH_GENERATION, "The generation number of an indirectly refe + PARAM(W_PDF_BAD_RENDERINGINTENT, "A ri or /RI used an unknown named rendering intent"), + PARAM(W_PDF_BAD_VIEW, "Couldn't read the initial document view"), + PARAM(W_PDF_BAD_WMODE, "A Font or CMap has a WMode which is neither 0 (horizontal) nor 1 (vertical)"), ++PARAM(W_PDF_BAD_CONFIG, "A configuration or command line parameter was invalid or incorrect."), + #undef PARAM diff --git a/0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch b/0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch new file mode 100644 index 0000000..26f1057 --- /dev/null +++ b/0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch @@ -0,0 +1,46 @@ +From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:55:49 +0000 +Subject: [PATCH] Bug 707510 - don't allow PDF files with bad Filters to + overflow the debug buffer + +Item #2 of the report. + +Allocate a buffer to hold the filter name, instead of assuming it will +fit in a fixed buffer. + +Reviewed all the other PDFDEBUG cases, no others use a fixed buffer like +this. +--- + pdf/pdf_file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pdf/pdf_file.c b/pdf/pdf_file.c +index 6680ae2db..4b04e3582 100644 +--- a/pdf/pdf_file.c ++++ b/pdf/pdf_file.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2018-2023 Artifex Software, Inc. ++/* Copyright (C) 2018-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -777,10 +777,14 @@ static int pdfi_apply_filter(pdf_context *ctx, pdf_dict *dict, pdf_name *n, pdf_ + + if (ctx->args.pdfdebug) + { +- char str[100]; ++ char *str; ++ str = gs_alloc_bytes(ctx->memory, n->length + 1, "temp string for debug"); ++ if (str == NULL) ++ return_error(gs_error_VMerror); + memcpy(str, (const char *)n->data, n->length); + str[n->length] = '\0'; + dmprintf1(ctx->memory, "FILTER NAME:%s\n", str); ++ gs_free_object(ctx->memory, str, "temp string for debug"); + } + + if (pdfi_name_is(n, "RunLengthDecode")) { +-- +2.45.2 + diff --git a/0001-Bug-707510-don-t-use-strlen-on-passwords.patch b/0001-Bug-707510-don-t-use-strlen-on-passwords.patch new file mode 100644 index 0000000..a66f4f5 --- /dev/null +++ b/0001-Bug-707510-don-t-use-strlen-on-passwords.patch @@ -0,0 +1,46 @@ +From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:58:22 +0000 +Subject: [PATCH] Bug 707510 - don't use strlen on passwords + +Item #1 of the report. This looks like an oversight when first coding +the routine. We should use the PostScript string length, because +PostScript strings may not be NULL terminated (and as here may contain +internal NULL characters). + +Fix the R6 handler which has the same problem too. +--- + pdf/pdf_sec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pdf/pdf_sec.c b/pdf/pdf_sec.c +index e968b89c5..e02e040f9 100644 +--- a/pdf/pdf_sec.c ++++ b/pdf/pdf_sec.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2020-2023 Artifex Software, Inc. ++/* Copyright (C) 2020-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -1283,7 +1283,7 @@ static int check_password_R5(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +@@ -1330,7 +1330,7 @@ static int check_password_R6(pdf_context *ctx, char *Password, int PasswordLen, + /* If the supplied Password fails as the user *and* owner password, maybe its in + * the locale, not UTF-8, try converting to UTF-8 + */ +- code = pdfi_object_alloc(ctx, PDF_STRING, strlen(ctx->encryption.Password), (pdf_obj **)&P); ++ code = pdfi_object_alloc(ctx, PDF_STRING, PasswordLen, (pdf_obj **)&P); + if (code < 0) + return code; + memcpy(P->data, Password, PasswordLen); +-- +2.45.2 + diff --git a/0001-Bug-707510-review-printing-of-pointers.patch b/0001-Bug-707510-review-printing-of-pointers.patch new file mode 100644 index 0000000..a8697a5 --- /dev/null +++ b/0001-Bug-707510-review-printing-of-pointers.patch @@ -0,0 +1,430 @@ +From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 25 Jan 2024 11:53:44 +0000 +Subject: [PATCH] Bug 707510 - review printing of pointers + +This is for item 4 of the report, which is addressed by the change in +gdevpdtb.c. That change uses a fixed name for fonts which have no name +instead of using the pointer to the address of the font. + +The remaining changes are all due to reviewing the use of PRI_INTPTR. +In general we only use that for debugging purposes but there were a few +places which were printing pointers arbitrarily, even in a release build. + +We really don't want to do that so I've modified the places which were +printing pointer unconditionally so that they only do so if DEBUG is +set at compile time, or a specific debug flag is set. +--- + base/gsfont.c | 4 ++-- + base/gsicc_cache.c | 8 ++++---- + base/gsmalloc.c | 4 ++-- + base/gxclmem.c | 5 ++--- + base/gxcpath.c | 6 +++++- + base/gxpath.c | 8 +++++++- + base/szlibc.c | 4 +++- + devices/gdevupd.c | 7 ++++++- + devices/vector/gdevpdtb.c | 4 ++-- + psi/ialloc.c | 4 ++-- + psi/igc.c | 6 +++--- + psi/igcstr.c | 6 +++--- + psi/iinit.c | 6 +++++- + psi/imainarg.c | 5 +++-- + psi/isave.c | 4 ++-- + psi/iutil.c | 6 +++++- + 16 files changed, 56 insertions(+), 31 deletions(-) + +diff --git a/base/gsfont.c b/base/gsfont.c +index 351954776..8b0da819b 100644 +--- a/base/gsfont.c ++++ b/base/gsfont.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -791,7 +791,7 @@ gs_purge_font(gs_font * pfont) + else if (pdir->scaled_fonts == pfont) + pdir->scaled_fonts = next; + else { /* Shouldn't happen! */ +- lprintf1("purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); ++ if_debug1m('u', pfont->memory, "purged font "PRI_INTPTR" not found\n", (intptr_t)pfont); + } + + /* Purge the font from the scaled font cache. */ +diff --git a/base/gsicc_cache.c b/base/gsicc_cache.c +index c2a59107e..c3026c136 100644 +--- a/base/gsicc_cache.c ++++ b/base/gsicc_cache.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -161,7 +161,7 @@ icc_linkcache_finalize(const gs_memory_t *mem, void *ptr) + return; + while (link_cache->head != NULL) { + if (link_cache->head->ref_count != 0) { +- emprintf2(link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", ++ if_debug2m(gs_debug_flag_icc, link_cache->memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", + (intptr_t)link_cache->head, link_cache->head->ref_count); + link_cache->head->ref_count = 0; /* force removal */ + } +@@ -586,7 +586,7 @@ gsicc_findcachelink(gsicc_hashlink_t hash, gsicc_link_cache_t *icc_link_cache, + /* that was building it failed to be able to complete building it. Try this only + a limited number of times before we bail. */ + if (curr->valid == false) { +- emprintf1(curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ ++ if_debug1m(gs_debug_flag_icc, curr->memory, "link "PRI_INTPTR" lock released, but still not valid.\n", (intptr_t)curr); /* Breakpoint here */ + } + gx_monitor_enter(icc_link_cache->lock); /* re-enter to loop and check */ + } +@@ -614,7 +614,7 @@ gsicc_remove_link(gsicc_link_t *link) + /* NOTE: link->ref_count must be 0: assert ? */ + gx_monitor_enter(icc_link_cache->lock); + if (link->ref_count != 0) { +- emprintf2(memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); ++ if_debug2m(gs_debug_flag_icc, memory, "link at "PRI_INTPTR" being removed, but has ref_count = %d\n", (intptr_t)link, link->ref_count); + } + curr = icc_link_cache->head; + prev = NULL; +diff --git a/base/gsmalloc.c b/base/gsmalloc.c +index 5d5b0f4d1..6b8da1fba 100644 +--- a/base/gsmalloc.c ++++ b/base/gsmalloc.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -420,7 +420,7 @@ gs_heap_resize_string(gs_memory_t * mem, byte * data, size_t old_num, size_t new + client_name_t cname) + { + if (gs_heap_object_type(mem, data) != &st_bytes) +- lprintf2("%s: resizing non-string "PRI_INTPTR"!\n", ++ if_debug2m('a', mem, "%s: resizing non-string "PRI_INTPTR"!\n", + client_name_string(cname), (intptr_t)data); + return gs_heap_resize_object(mem, data, new_num, cname); + } +diff --git a/base/gxclmem.c b/base/gxclmem.c +index 9b9bbcf35..68125303e 100644 +--- a/base/gxclmem.c ++++ b/base/gxclmem.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -490,8 +490,7 @@ memfile_fclose(clist_file_ptr cf, const char *fname, bool delete) + /* leaks if other users of the memfile don't 'fclose with delete=true */ + if (f->openlist != NULL || ((f->base_memfile != NULL) && f->base_memfile->is_open)) { + /* TODO: do the cleanup rather than just giving an error */ +- emprintf1(f->memory, +- "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", ++ if_debug1(':', "Attempt to delete a memfile still open for read: "PRI_INTPTR"\n", + (intptr_t)f); + return_error(gs_error_invalidfileaccess); + } else { +diff --git a/base/gxcpath.c b/base/gxcpath.c +index e277f3172..a7a127db2 100644 +--- a/base/gxcpath.c ++++ b/base/gxcpath.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -178,8 +178,10 @@ gx_cpath_init_contained_shared(gx_clip_path * pcpath, + { + if (shared) { + if (shared->path.segments == &shared->path.local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *pcpath = *shared; +@@ -236,8 +238,10 @@ gx_cpath_init_local_shared_nested(gx_clip_path * pcpath, + if (shared) { + if ((shared->path.segments == &shared->path.local_segments) && + !safely_nested) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of clip path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + pcpath->path = shared->path; +diff --git a/base/gxpath.c b/base/gxpath.c +index eb0f3bf2e..817c247b2 100644 +--- a/base/gxpath.c ++++ b/base/gxpath.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -137,8 +137,10 @@ gx_path_init_contained_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +@@ -172,8 +174,10 @@ gx_path_alloc_shared(const gx_path * shared, gs_memory_t * mem, + ppath->procs = &default_path_procs; + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + gs_free_object(mem, ppath, cname); + return 0; + } +@@ -203,8 +207,10 @@ gx_path_init_local_shared(gx_path * ppath, const gx_path * shared, + { + if (shared) { + if (shared->segments == &shared->local_segments) { ++#ifdef DEBUG + lprintf1("Attempt to share (local) segments of path "PRI_INTPTR"!\n", + (intptr_t)shared); ++#endif + return_error(gs_error_Fatal); + } + *ppath = *shared; +diff --git a/base/szlibc.c b/base/szlibc.c +index e2b0d68c3..5f315c3c3 100644 +--- a/base/szlibc.c ++++ b/base/szlibc.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -110,7 +110,9 @@ s_zlib_free(void *zmem, void *data) + gs_free_object(mem, data, "s_zlib_free(data)"); + for (; ; block = block->next) { + if (block == 0) { ++#ifdef DEBUG + lprintf1("Freeing unrecorded data "PRI_INTPTR"!\n", (intptr_t)data); ++#endif + return; + } + if (block->data == data) +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index 740dae012..cb479d21f 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -1040,8 +1040,13 @@ upd_print_page(gx_device_printer *pdev, gp_file *out) + */ + if(!upd || B_OK4GO != (upd->flags & (B_OK4GO | B_ERROR))) { + #if UPD_MESSAGES & (UPD_M_ERROR | UPD_M_TOPCALLS) ++#ifdef DEBUG + errprintf(pdev->memory, "CALL-REJECTED upd_print_page(" PRI_INTPTR "," PRI_INTPTR ")\n", + (intptr_t)udev,(intptr_t) out); ++#else ++ errprintf(pdev->memory, "CALL-REJECTED upd_print_page\n", ++ (intptr_t)udev,(intptr_t) out); ++#endif + #endif + return_error(gs_error_undefined); + } +diff --git a/devices/vector/gdevpdtb.c b/devices/vector/gdevpdtb.c +index 41046aa21..3d7dcae53 100644 +--- a/devices/vector/gdevpdtb.c ++++ b/devices/vector/gdevpdtb.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -373,7 +373,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev, pdf_base_font_t **ppbfont, + font_name.size -= SUBSET_PREFIX_SIZE; + } + } else { +- gs_snprintf(fnbuf, sizeof(fnbuf), ".F" PRI_INTPTR, (intptr_t)copied); ++ gs_snprintf(fnbuf, sizeof(fnbuf), "Anonymous"); + font_name.data = (byte *)fnbuf; + font_name.size = strlen(fnbuf); + } +diff --git a/psi/ialloc.c b/psi/ialloc.c +index 6d22110e8..40216e41c 100644 +--- a/psi/ialloc.c ++++ b/psi/ialloc.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -391,7 +391,7 @@ gs_free_ref_array(gs_ref_memory_t * mem, ref * parr, client_name_t cname) + size = num_refs * sizeof(ref); + break; + default: +- lprintf3("Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", ++ if_debug3('A', "Unknown type 0x%x in free_ref_array(%u,"PRI_INTPTR")!", + r_type(parr), num_refs, (intptr_t)obj); + return; + } +diff --git a/psi/igc.c b/psi/igc.c +index 121723f79..ab6565c6b 100644 +--- a/psi/igc.c ++++ b/psi/igc.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -1062,7 +1062,7 @@ gc_extend_stack(gc_mark_stack * pms, gc_state_t * pstate) + + if (cp == 0) { /* We were tracing outside collectible */ + /* storage. This can't happen. */ +- lprintf1("mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", ++ if_debug1('6', "mark stack overflowed while outside collectible space at "PRI_INTPTR"!\n", + (intptr_t)cptr); + gs_abort(pstate->heap); + } +@@ -1291,7 +1291,7 @@ igc_reloc_struct_ptr(const void /*obj_header_t */ *obj, gc_state_t * gcst) + + if (cp != 0 && cp->cbase <= (byte *)obj && (byte *)obj ctop) { + if (back > (cp->ctop - cp->cbase) >> obj_back_shift) { +- lprintf2("Invalid back pointer %u at "PRI_INTPTR"!\n", ++ if_debug2('6', "Invalid back pointer %u at "PRI_INTPTR"!\n", + back, (intptr_t)obj); + gs_abort(NULL); + } +diff --git a/psi/igcstr.c b/psi/igcstr.c +index bfaee419b..c43c12875 100644 +--- a/psi/igcstr.c ++++ b/psi/igcstr.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -152,7 +152,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst) + return false; + #ifdef DEBUG + if (ptr < cp->ctop) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr, size, (intptr_t)cp->ctop, (intptr_t)cp->climit); + return false; + } else if (ptr + size > cp->climit) { /* +@@ -171,7 +171,7 @@ gc_string_mark(const byte * ptr, uint size, bool set, gc_state_t * gcst) + while (ptr == scp->climit && scp->outer != 0) + scp = scp->outer; + if (ptr + size > scp->climit) { +- lprintf4("String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", ++ if_debug4('6', "String pointer "PRI_INTPTR"[%u] outside ["PRI_INTPTR".."PRI_INTPTR")\n", + (intptr_t)ptr, size, + (intptr_t)scp->ctop, (intptr_t)scp->climit); + return false; +diff --git a/psi/iinit.c b/psi/iinit.c +index ed41b36da..0af7ee9c1 100644 +--- a/psi/iinit.c ++++ b/psi/iinit.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -395,8 +395,12 @@ zop_init(i_ctx_t *i_ctx_p) + if (def->proc != 0) { + code = def->proc(i_ctx_p); + if (code < 0) { ++#ifdef DEBUG + lprintf2("op_init proc "PRI_INTPTR" returned error %d!\n", + (intptr_t)def->proc, code); ++#else ++ lprintf("op_init proc returned error !\n"); ++#endif + return code; + } + } +diff --git a/psi/imainarg.c b/psi/imainarg.c +index 638694ba2..29ad1d633 100644 +--- a/psi/imainarg.c ++++ b/psi/imainarg.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -229,7 +229,8 @@ gs_main_init_with_args01(gs_main_instance * minst, int argc, char *argv[]) + if (gs_debug[':'] && !have_dumped_args) { + int i; + +- dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", ++ if (gs_debug_c(gs_debug_flag_init_details)) ++ dmprintf1(minst->heap, "%% Args passed to instance "PRI_INTPTR": ", + (intptr_t)minst); + for (i=1; iheap, "%s ", argv[i]); +diff --git a/psi/isave.c b/psi/isave.c +index 80cf9c1f7..795170fcb 100644 +--- a/psi/isave.c ++++ b/psi/isave.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -487,7 +487,7 @@ alloc_save_change_in(gs_ref_memory_t *mem, const ref * pcont, + else if (r_is_struct(pcont)) + cp->offset = (byte *) where - (byte *) pcont->value.pstruct; + else { +- lprintf3("Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", ++ if_debug3('u', "Bad type %u for save! pcont = "PRI_INTPTR", where = "PRI_INTPTR"\n", + r_type(pcont), (intptr_t) pcont, (intptr_t) where); + gs_abort((const gs_memory_t *)mem); + } +diff --git a/psi/iutil.c b/psi/iutil.c +index 405869666..239c26b85 100644 +--- a/psi/iutil.c ++++ b/psi/iutil.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -537,7 +537,11 @@ other: + break; + } + /* Internal operator, no name. */ ++#if DEBUG + gs_snprintf(buf, sizeof(buf), "@"PRI_INTPTR, (intptr_t) op->value.opproc); ++#else ++ gs_snprintf(buf, sizeof(buf), "@anonymous_operator", (intptr_t) op->value.opproc); ++#endif + break; + } + case t_real: +-- +2.45.2 + diff --git a/0001-Bug-707686.patch b/0001-Bug-707686.patch new file mode 100644 index 0000000..d5152b5 --- /dev/null +++ b/0001-Bug-707686.patch @@ -0,0 +1,94 @@ +From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Tue, 26 Mar 2024 12:00:14 +0000 +Subject: [PATCH] Bug #707686 + +See bug thread for details + +In addition to the noted bug; an error path (return from +gp_file_name_reduce not successful) could elad to a memory leak as we +did not free 'bufferfull'. Fix that too. + +This addresses CVE-2024-33870 +--- + base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++---- + 1 file changed, 32 insertions(+), 4 deletions(-) + +diff --git a/base/gpmisc.c b/base/gpmisc.c +index 2b0064bea..c4a69b03a 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem, + const uint len, + const char *mode) + { +- char *buffer, *bufferfull; ++ char *buffer, *bufferfull = NULL; + uint rlen; + int code = 0; + const char *cdirstr = gp_file_name_current(); +@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem, + return gs_error_VMerror; + + buffer = bufferfull + prefix_len; +- if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) +- return gs_error_invalidfileaccess; ++ if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } + buffer[rlen] = 0; + } + while (1) { +@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem, + code = gs_note_error(gs_error_invalidfileaccess); + } + if (code < 0 && prefix_len > 0 && buffer > bufferfull) { ++ uint newlen = rlen + cdirstrl + dirsepstrl; ++ char *newbuffer; ++ int code; ++ + buffer = bufferfull; + memcpy(buffer, cdirstr, cdirstrl); + memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl); ++ ++ /* We've prepended a './' or similar for the current working directory. We need ++ * to execute file_name_reduce on that, to eliminate any '../' or similar from ++ * the (new) full path. ++ */ ++ newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path"); ++ if (newbuffer == NULL) { ++ code = gs_note_error(gs_error_VMerror); ++ goto exit; ++ } ++ ++ memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl); ++ newbuffer[newlen] = 0x00; ++ ++ code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen); ++ gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path"); ++ if (code != gp_combine_success) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ + continue; + } + else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem, + gs_path_control_flag_is_scratch_file); + } + ++exit: + gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path"); + #ifdef EACCES + if (code == gs_error_invalidfileaccess) +-- +2.45.2 + diff --git a/0001-Bug-707691.patch b/0001-Bug-707691.patch new file mode 100644 index 0000000..65c01cc --- /dev/null +++ b/0001-Bug-707691.patch @@ -0,0 +1,43 @@ +diff --git a/base/gpmisc.c b/base/gpmisc.c +index c4a69b0..b0d5c71 100644 +--- a/base/gpmisc.c ++++ b/base/gpmisc.c +@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem, + rlen = len; + } + else { ++ char *test = (char *)path, *test1; ++ uint tlen = len, slen; ++ ++ /* Look for any pipe (%pipe% or '|' specifications between path separators ++ * Reject any path spec which has a %pipe% or '|' anywhere except at the start. ++ */ ++ while (tlen > 0) { ++ if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) { ++ code = gs_note_error(gs_error_invalidfileaccess); ++ goto exit; ++ } ++ test1 = test; ++ slen = search_separator((const char **)&test, path + len, test1, 1); ++ if(slen == 0) ++ break; ++ test += slen; ++ tlen -= test - test1; ++ if (test >= path + len) ++ break; ++ } ++ + rlen = len+1; + bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path"); + if (bufferfull == NULL) +@@ -1164,8 +1185,8 @@ gp_validate_path_len(const gs_memory_t *mem, + + continue; + } +- else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) { +- buffer = bufferfull + cdirstrl + dirsepstrl; ++ else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull ++ && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) { + continue; + } + break; diff --git a/SOURCES/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch b/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch similarity index 64% rename from SOURCES/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch rename to 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch index 078a505..cb08b28 100644 --- a/SOURCES/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch +++ b/0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch @@ -1,7 +1,25 @@ -diff --git a/base/gp_wutf8.c b/base/gp_wutf8.c -index 56bedc1..23fcdd1 100644 ---- a/base/gp_wutf8.c -+++ b/base/gp_wutf8.c +From 282f691f5e57b6bf55ba51ad8c2be2cce8edb938 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Tue, 18 Jun 2024 18:22:55 +0100 +Subject: [PATCH] Bug 707788: Fix decode_utf8 to forbid overlong encodings. + +These can be used by malicious code to escape directories. + +CVE-2024-46954 +--- + base/gp_utf8.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/base/gp_utf8.c b/base/gp_utf8.c +index c33fc3550..b78977e37 100644 +--- a/base/gp_utf8.c ++++ b/base/gp_utf8.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or @@ -25,12 +25,16 @@ decode_utf8(const char **inp, unsigned int i) if (i < 0x80) { } else if ((i & 0xE0) == 0xC0) { @@ -40,3 +58,6 @@ index 56bedc1..23fcdd1 100644 i = 0xfffd; } *inp = in; +-- +2.49.0 + diff --git a/SOURCES/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch b/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch similarity index 100% rename from SOURCES/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch rename to 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch diff --git a/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch b/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch new file mode 100644 index 0000000..09f9b86 --- /dev/null +++ b/0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch @@ -0,0 +1,41 @@ +From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Wed, 20 Nov 2024 11:42:31 +0000 +Subject: [PATCH] Bug 708133: Avoid integer overflow leading to buffer overflow + +The calculation of the buffer size was being done with int values, and +overflowing that data type. By leaving the total size calculation to the +memory manager, the calculation ends up being done in size_t values, and +avoiding the overflow in this case, but also meaning the memory manager +overflow protection will be effective. + +CVE-2025-27832 +--- + contrib/japanese/gdevnpdl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c +index 60065bacf..4967282bd 100644 +--- a/contrib/japanese/gdevnpdl.c ++++ b/contrib/japanese/gdevnpdl.c +@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + int code; + int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh; + +- if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"))) ++ if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)"))) + return_error(gs_error_VMerror); + + /* Initialize printer */ +@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c + /* Form Feed */ + gp_fputs("\014", prn_stream); + +- gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)"); ++ gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)"); + return 0; + } + +-- +2.49.0 + diff --git a/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch b/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch new file mode 100644 index 0000000..9c736b7 --- /dev/null +++ b/0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch @@ -0,0 +1,26 @@ +diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c +index 74200cf..dc45b22 100644 +--- a/contrib/opvp/gdevopvp.c ++++ b/contrib/opvp/gdevopvp.c +@@ -3296,7 +3296,7 @@ _get_params(gx_device* dev, gs_param_list *plist) + /* vector driver name */ + pname = "Driver"; + vdps.data = (byte *)opdev->globals.vectorDriver; +- vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) + 1 : 0); ++ vdps.size = (opdev->globals.vectorDriver ? strlen(opdev->globals.vectorDriver) : 0); + vdps.persistent = false; + code = param_write_string(plist, pname, &vdps); + if (code) ecode = code; +@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist) + code = param_read_string(plist, pname, &vdps); + switch (code) { + case 0: ++ if (gs_is_path_control_active(dev->memory) ++ && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size ++ || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) { ++ param_signal_error(plist, pname, gs_error_invalidaccess); ++ return_error(gs_error_invalidaccess); ++ } + buff = realloc(buff, vdps.size + 1); + memcpy(buff, vdps.data, vdps.size); + buff[vdps.size] = 0; diff --git a/0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch b/0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch new file mode 100644 index 0000000..d5d332e --- /dev/null +++ b/0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch @@ -0,0 +1,62 @@ +From b1f0827c30f59a2dcbc8a39e42cace7a1de35f7f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Mon, 2 Sep 2024 15:14:01 +0100 +Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams + +Bug #708001 "Buffer overflow in PDF XRef stream" + +See bug report. I've chosen to fix this by checking the values in the +W array; these can (currently at least) only have certain relatively +small values. + +As a future proofing fix I've also updated field_size in +pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger +than required, but matches the W array values and so prevents the +mismatch which could lead to a buffer overrun. + +CVE-2024-46952 +--- + pdf/pdf_xref.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c +index fefd08abe..4ad0f548f 100644 +--- a/pdf/pdf_xref.c ++++ b/pdf/pdf_xref.c +@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size) + static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, int64_t first, int64_t last, int64_t *W) + { + uint i, j; +- uint field_width = 0; ++ uint64_t field_width = 0; + uint32_t type = 0; + uint64_t objnum = 0, gen = 0; + byte *Buffer; +@@ -305,6 +305,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd + } + pdfi_countdown(a); + ++ /* W[0] is either: ++ * 0 (no type field) or a single byte with the type. ++ * W[1] is either: ++ * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored. ++ * W[2] is either: ++ * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream. ++ * ++ * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually ++ * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number. ++ * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits. ++ */ ++ if (W[0] > 1 || W[1] > 8 || W[2] > 8) { ++ pdfi_close_file(ctx, XRefStrm); ++ pdfi_countdown(ctx->xref_table); ++ ctx->xref_table = NULL; ++ return code; ++ } ++ + code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a); + if (code == gs_error_undefined) { + code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, W); +-- +2.49.0 + diff --git a/SOURCES/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch b/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch similarity index 100% rename from SOURCES/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch rename to 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch diff --git a/0001-PostScript-interpreter-fix-buffer-length-check.patch b/0001-PostScript-interpreter-fix-buffer-length-check.patch new file mode 100644 index 0000000..ca02452 --- /dev/null +++ b/0001-PostScript-interpreter-fix-buffer-length-check.patch @@ -0,0 +1,36 @@ +From f4151f12db32cd3ed26c24327de714bf2c3ed6ca Mon Sep 17 00:00:00 2001 +From: Zdenek Hutyra +Date: Tue, 23 Jul 2024 11:48:39 +0100 +Subject: [PATCH] PostScript interpreter - fix buffer length check + +Bug 707895 + +See bug report for details. + +CVE-2024-46956 +--- + psi/zfile.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/psi/zfile.c b/psi/zfile.c +index a4f5439cd..cb056494b 100644 +--- a/psi/zfile.c ++++ b/psi/zfile.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -443,7 +443,7 @@ file_continue(i_ctx_t *i_ctx_p) + if (code == ~(uint) 0) { /* all done */ + esp -= 6; /* pop proc, pfen, scratch, devlen, iodev , mark */ + return o_pop_estack; +- } else if (code > len) { /* overran string */ ++ } else if (code > len - devlen) { /* overran string */ + return_error(gs_error_rangecheck); + } + else if (iodev != iodev_default(imemory) +-- +2.49.0 + diff --git a/0001-Uniprint-device-prevent-string-configuration-changes.patch b/0001-Uniprint-device-prevent-string-configuration-changes.patch new file mode 100644 index 0000000..0adbfa6 --- /dev/null +++ b/0001-Uniprint-device-prevent-string-configuration-changes.patch @@ -0,0 +1,79 @@ +From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Thu, 21 Mar 2024 09:01:15 +0000 +Subject: [PATCH] Uniprint device - prevent string configuration changes when + SAFER + +Bug #707662 + +We cannot sanitise the string arguments used by the Uniprint device +because they can potentially include anything. + +This commit ensures that these strings are locked and cannot be +changed by PostScript once SAFER is activated. Full configuration from +the command line is still possible (see the *.upp files in lib). + +This addresses CVE-2024-29510 +--- + devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/devices/gdevupd.c b/devices/gdevupd.c +index c9389e7bc..016a9260a 100644 +--- a/devices/gdevupd.c ++++ b/devices/gdevupd.c +@@ -1891,6 +1891,16 @@ out on this copies. + if(!upd_strings[i]) continue; + UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (strings[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRINGS; + UPD_MM_DEL_PARAM(udev->memory, strings[i]); + if(!value.size) { +@@ -1908,6 +1918,26 @@ out on this copies. + if(!upd_string_a[i]) continue; + UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory); + if(0 == code) { ++ if (gs_is_path_control_active(udev->memory)) { ++ if (string_a[i].size != value.size) ++ error = gs_error_invalidaccess; ++ else { ++ int loop; ++ for (loop = 0;loop < string_a[i].size;loop++) { ++ gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]); ++ gs_param_string *tmp2 = (gs_param_string *)&value.data[loop]; ++ ++ if (tmp1->size != tmp2->size) ++ error = gs_error_invalidaccess; ++ else { ++ if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0) ++ error = gs_error_invalidaccess; ++ } ++ } ++ } ++ if (error < 0) ++ goto exit; ++ } + if(0 <= error) error |= UPD_PUT_STRING_A; + UPD_MM_DEL_APARAM(udev->memory, string_a[i]); + if(!value.size) { +@@ -2102,6 +2132,7 @@ transferred into the device-structure. In the case of "uniprint", this may + if(0 > code) error = code; + } + ++exit: + if(0 < error) { /* Actually something loaded without error */ + + if(!(upd = udev->upd)) { +-- +2.45.2 + diff --git a/0001-X-device-fix-compiler-warning.patch b/0001-X-device-fix-compiler-warning.patch new file mode 100644 index 0000000..6bb9eaf --- /dev/null +++ b/0001-X-device-fix-compiler-warning.patch @@ -0,0 +1,60 @@ +From 8f5c77af6c0b84bdea719010cf4f67877e857b2b Mon Sep 17 00:00:00 2001 +Message-ID: <8f5c77af6c0b84bdea719010cf4f67877e857b2b.1705768875.git.mjg@fedoraproject.org> +From: Ken Sharp +Date: Fri, 19 Jan 2024 08:44:33 +0000 +Subject: [PATCH] X device - fix compiler 'warning' + +Bug #707502 "- -Wincompatible-pointer-types warning in devices/gdevxini.c" + +This is probably an oversight from when we changed a load of variables +to size_t. + +Seems odd that compilers (well gcc) should refuse to compile becuase of +a warning, but that's compilers. The pointer type is incorrect so let's +fix it. +--- + devices/gdevx.h | 4 ++-- + devices/gdevxini.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/devices/gdevx.h b/devices/gdevx.h +index 82855ae15..1a513afcd 100644 +--- a/devices/gdevx.h ++++ b/devices/gdevx.h +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -39,7 +39,7 @@ typedef struct gx_device_X_s { + bool is_buffered; + bool IsPageDevice; + byte *buffer; /* full-window image */ +- long buffer_size; ++ size_t buffer_size; + gx_device_color_info orig_color_info; + + /* An XImage object for writing bitmap images to the screen */ +diff --git a/devices/gdevxini.c b/devices/gdevxini.c +index df489617c..5f68ce035 100644 +--- a/devices/gdevxini.c ++++ b/devices/gdevxini.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2023 Artifex Software, Inc. ++/* Copyright (C) 2001-2024 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -621,7 +621,7 @@ x_set_buffer(gx_device_X * xdev) + } + if (mdev->width != xdev->width || mdev->height != xdev->height) { + byte *buffer; +- ulong space; ++ size_t space; + + if (gdev_mem_data_size(mdev, xdev->width, xdev->height, &space) < 0 || + space > xdev->space_params.MaxBitmap) { +-- +2.43.0.462.gcdfa2ea447 + diff --git a/SOURCES/0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch b/SOURCES/0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch deleted file mode 100644 index abc44da..0000000 --- a/SOURCES/0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 68c7275d4a580dca6c0ed3798f3717eea3513403 Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Thu, 12 Sep 2019 09:35:01 +0100 -Subject: [PATCH] Bug 701568: Fix gdevpx.c RLE stream handling. - -The current code in pclxl_write_image_data_RLE passes -lines of data to the RLE compression routine. It tells -each invocation of that routine that this is the "last" -block of data, when clearly it is not. - -Accordingly, the compression routine inserts the "EOD" byte -into the stream, and returns EOFC. - -Independently of the return value used, having multiple EOD -bytes in the data is clearly wrong. Update the caller to only -pass "last" in for the last block. - -The code still returns EOFC at the end of the data, so update -this final call to accept (indeed, expect) that return value -there. ---- - devices/vector/gdevpx.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c -index 825e6b4c5..5d2d0edf5 100644 ---- a/devices/vector/gdevpx.c -+++ b/devices/vector/gdevpx.c -@@ -714,6 +714,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base, - uint num_bytes = ROUND_UP(width_bytes, 4) * height; - bool compress = num_bytes >= 8; - int i; -+ int code; - - /* cannot handle data_bit not multiple of 8, but we don't invoke this routine that way */ - int offset = data_bit >> 3; -@@ -752,19 +753,20 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base, - r.ptr = data + i * raster - 1; - r.limit = r.ptr + width_bytes; - if ((*s_RLE_template.process) -- ((stream_state *) & rlstate, &r, &w, true) != 0 || -+ ((stream_state *) & rlstate, &r, &w, false) != 0 || - r.ptr != r.limit) - goto ncfree; - r.ptr = (const byte *)"\000\000\000\000\000"; - r.limit = r.ptr + (-(int)width_bytes & 3); - if ((*s_RLE_template.process) -- ((stream_state *) & rlstate, &r, &w, true) != 0 || -+ ((stream_state *) & rlstate, &r, &w, false) != 0 || - r.ptr != r.limit) - goto ncfree; - } - r.ptr = r.limit; -- if ((*s_RLE_template.process) -- ((stream_state *) & rlstate, &r, &w, true) != 0) -+ code = (*s_RLE_template.process) -+ ((stream_state *) & rlstate, &r, &w, true); -+ if (code != EOFC && code != 0) - goto ncfree; - { - uint count = w.ptr + 1 - buf; --- -2.46.2 - diff --git a/SOURCES/0001-Bug-701568-followup-Fix-RLE-compressor.patch b/SOURCES/0001-Bug-701568-followup-Fix-RLE-compressor.patch deleted file mode 100644 index 51a8604..0000000 --- a/SOURCES/0001-Bug-701568-followup-Fix-RLE-compressor.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 3b2ad1f24d2e9705481f9feb6835aa3e851726ac Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Thu, 12 Sep 2019 17:09:50 +0100 -Subject: [PATCH] Bug 701568 followup: Fix RLE compressor. - -The previous fix to the RLE compressor reveals an additional -existing issue to do with us not checking whether we have -space in the buffer to write the EOD byte. - -Fixed here. ---- - base/srle.c | 78 ++++++++++++++++++++++++++++++----------------------- - 1 file changed, 45 insertions(+), 33 deletions(-) - -diff --git a/base/srle.c b/base/srle.c -index 50de0d847..0c0186e04 100644 ---- a/base/srle.c -+++ b/base/srle.c -@@ -59,7 +59,13 @@ enum { - state_gt_012, - - /* -n bytes into a repeated run, n0 and n1 read. */ -- state_lt_01 -+ state_lt_01, -+ -+ /* We have reached the end of data, but not written the marker. */ -+ state_eod_unmarked, -+ -+ /* We have reached the end of data, and written the marker. */ -+ state_eod - }; - - #ifdef DEBUG_RLE -@@ -294,43 +300,49 @@ run_len_0_n0_read: - } - } - } -- } -- /* n1 is never valid here */ -+ /* n1 is never valid here */ - -- if (last) { -- if (run_len == 0) { -- /* EOD */ -- if (wlimit - q < 1) { -- ss->state = state_0; -- goto no_output_room; -- } -- } else if (run_len > 0) { -- /* Flush literal run + EOD */ -- if (wlimit - q < run_len+2) { -- ss->state = state_0; -- goto no_output_room; -+ if (last) { -+ if (run_len == 0) { -+ /* EOD */ -+ if (wlimit - q < 1) { -+ ss->state = state_0; -+ goto no_output_room; -+ } -+ } else if (run_len > 0) { -+ /* Flush literal run + EOD */ -+ if (wlimit - q < run_len+2) { -+ ss->state = state_0; -+ goto no_output_room; -+ } -+ *++q = run_len; -+ memcpy(q+1, ss->literals, run_len); -+ q += run_len; -+ *++q = n0; -+ } else if (run_len < 0) { -+ /* Flush repeated run + EOD */ -+ if (wlimit - q < 3) { -+ ss->state = state_0; -+ goto no_output_room; -+ } -+ *++q = 257+run_len; /* Repeated run */ -+ *++q = n0; - } -- *++q = run_len; -- memcpy(q+1, ss->literals, run_len); -- q += run_len; -- *++q = n0; -- } else if (run_len < 0) { -- /* Flush repeated run + EOD */ -- if (wlimit - q < 3) { -- ss->state = state_0; -+ case state_eod_unmarked: -+ if (wlimit - q < 1) { -+ ss->state = state_eod_unmarked; - goto no_output_room; - } -- *++q = 257+run_len; /* Repeated run */ -- *++q = n0; -+ *++q = 128; /* EOD */ -+ case state_eod: -+ ss->run_len = 0; -+ ss->state = state_0; -+ pr->ptr = p; -+ pw->ptr = q; -+ ss->record_left = rlimit - p; -+ debug_ate(pinit, p, qinit, q, EOFC); -+ return EOFC; - } -- *++q = 128; /* EOD */ -- ss->run_len = 0; -- ss->state = state_0; -- pr->ptr = p; -- pw->ptr = q; -- ss->record_left = rlimit - p; -- debug_ate(pinit, p, qinit, q, EOFC); -- return EOFC; - } - - /* Normal exit */ --- -2.46.2 - diff --git a/SOURCES/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch b/SOURCES/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch deleted file mode 100644 index 07b5391..0000000 --- a/SOURCES/0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4f6bc662909ab79e8fbe9822afb36e8a0eafc2b7 Mon Sep 17 00:00:00 2001 -From: Julian Smith -Date: Wed, 6 Nov 2019 12:41:28 +0000 -Subject: [PATCH] Bug 701844: fixed output buffer size worst case in - lp8000_print_page(). - -Fixes: - ./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -dFIXEDMEDIA -sPAPERSIZE=legal -sOutputFile=tmp -sDEVICE=lp8000 ../bug-701844.pdf ---- - devices/gdevlp8k.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/devices/gdevlp8k.c b/devices/gdevlp8k.c -index 0a9bc03c8..55af94df0 100644 ---- a/devices/gdevlp8k.c -+++ b/devices/gdevlp8k.c -@@ -185,7 +185,10 @@ lp8000_print_page(gx_device_printer *pdev, gp_file *prn_stream) - unsigned int report_size; - - byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "lp8000_print_page(buf1)"); -- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "lp8000_print_page(buf2)"); -+ -+ /* Worst case for rle compression below is 3 bytes for each 2 bytes of -+ input, with extra final byte. */ -+ byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size * 3 / 2 + 2, 1, "lp8000_print_page(buf2)"); - byte *in = buf1; - byte *out = buf2; - --- -2.49.0 - diff --git a/SOURCES/0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch b/SOURCES/0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch deleted file mode 100644 index bbd2591..0000000 --- a/SOURCES/0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch +++ /dev/null @@ -1,101 +0,0 @@ -From b772aaf901a3cd37baf5c06eb141c689829bf673 Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Tue, 26 Nov 2019 14:35:05 +0000 -Subject: [PATCH] Bug 701949: Add 'omitEOD' flag to RLE compressor and use for - PXL. - -It turns out that some printers (Samsung ML-2250 and Canon -ImageRunner iRC2380i at least) object to the EOD byte appearing -in RLE data in PXL streams. - -Ken kindly checked the PXL spec for me, and found that: "The PXL -spec does say a control code of -128 is ignored and not included -in the decompressed data and the byte following a control byte -of 128 (I assume they mean -128 here) is treated as the next -control byte. And PCL only uses RLE data for images, so they do -know how much data they expect." - -Thus, the conclusion we reached is that PCL/PXL don't need -(indeed, really does not want) the EOD byte. - -The Postscript spec clearly defines the EOD byte though. Rather -than break the streams for postscript, we introduce a flag -'omitEOD' that can be set for the encoder when we want to produce -a stream for use with PCL/PXL. ---- - base/srle.c | 10 ++++++---- - base/srlx.h | 3 ++- - devices/vector/gdevpx.c | 1 + - psi/zfilter.c | 1 + - 4 files changed, 10 insertions(+), 5 deletions(-) - -diff --git a/base/srle.c b/base/srle.c -index 0c0186e04..21b729f31 100644 ---- a/base/srle.c -+++ b/base/srle.c -@@ -329,11 +329,13 @@ run_len_0_n0_read: - *++q = n0; - } - case state_eod_unmarked: -- if (wlimit - q < 1) { -- ss->state = state_eod_unmarked; -- goto no_output_room; -+ if (!ss->omitEOD) { -+ if (wlimit - q < 1) { -+ ss->state = state_eod_unmarked; -+ goto no_output_room; -+ } -+ *++q = 128; /* EOD */ - } -- *++q = 128; /* EOD */ - case state_eod: - ss->run_len = 0; - ss->state = state_0; -diff --git a/base/srlx.h b/base/srlx.h -index ebf172064..98309dbdb 100644 ---- a/base/srlx.h -+++ b/base/srlx.h -@@ -32,6 +32,7 @@ typedef struct stream_RLE_state_s { - stream_RL_state_common; - /* The following parameters are set by the client. */ - ulong record_size; -+ bool omitEOD; - /* The following change dynamically. */ - ulong record_left; /* bytes left in current record */ - byte n0; -@@ -47,7 +48,7 @@ typedef struct stream_RLE_state_s { - /* We define the initialization procedure here, so that clients */ - /* can avoid a procedure call. */ - #define s_RLE_set_defaults_inline(ss)\ -- ((ss)->EndOfData = true, (ss)->record_size = 0) -+ ((ss)->EndOfData = true, (ss)->omitEOD = false, (ss)->record_size = 0) - #define s_RLE_init_inline(ss)\ - ((ss)->record_left =\ - ((ss)->record_size == 0 ? ((ss)->record_size = max_uint) :\ -diff --git a/devices/vector/gdevpx.c b/devices/vector/gdevpx.c -index 5d2d0edf5..a1fce1b7c 100644 ---- a/devices/vector/gdevpx.c -+++ b/devices/vector/gdevpx.c -@@ -741,6 +741,7 @@ pclxl_write_image_data_RLE(gx_device_pclxl * xdev, const byte * base, - goto nc; - s_RLE_set_defaults_inline(&rlstate); - rlstate.EndOfData = false; -+ rlstate.omitEOD = true; - s_RLE_init_inline(&rlstate); - w.ptr = buf - 1; - w.limit = w.ptr + num_bytes; -diff --git a/psi/zfilter.c b/psi/zfilter.c -index dfe3a1d5b..3ce7652c6 100644 ---- a/psi/zfilter.c -+++ b/psi/zfilter.c -@@ -109,6 +109,7 @@ zRLE(i_ctx_t *i_ctx_p) - stream_RLE_state state; - int code; - -+ s_RLE_template.set_defaults((stream_state *)&state); - check_op(2); - code = rl_setup(op - 1, &state.EndOfData); - if (code < 0) --- -2.47.0 - diff --git a/SOURCES/0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch b/SOURCES/0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch deleted file mode 100644 index 36b70b2..0000000 --- a/SOURCES/0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 4fcf527584da20538ebf9c3c43c3fda25d97cd18 Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Tue, 4 Oct 2022 17:36:56 +0100 -Subject: [PATCH] Bug 705911: Fix Ghostscript's encoding/decoding of UTF-8 from - UTF-16. - -We were not coping with high/low surrogate pairs in UTF-16, -meaning that we could encode/decode strings fine for our own -purposes, but when we passed them off to other users (such -as SmartOffice), it would fail to understand our utf-8 encoded -surrogate pairs. - -Thanks to Pete, Joseph and Fred for their help here, and to Silver -for having spotted it! ---- - base/gp_wutf8.c | 162 +++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 127 insertions(+), 35 deletions(-) - -diff --git a/base/gp_wutf8.c b/base/gp_wutf8.c -index b7b1d0758..920114cd1 100644 ---- a/base/gp_wutf8.c -+++ b/base/gp_wutf8.c -@@ -16,6 +16,56 @@ - - #include "windows_.h" - -+static int -+decode_utf8(const char **inp, unsigned int i) -+{ -+ const char *in = *inp; -+ unsigned char c; -+ -+ if (i < 0x80) { -+ } else if ((i & 0xE0) == 0xC0) { -+ i &= 0x1F; -+ c = (unsigned char)*in++; -+ if ((c & 0xC0) != 0x80) -+ goto fail; -+ i = (i<<6) | (c & 0x3f); -+ } else if ((i & 0xF0) == 0xE0) { -+ i &= 0xF; -+ c = (unsigned char)*in++; -+ if ((c & 0xC0) != 0x80) -+ goto fail; -+ i = (i<<6) | (c & 0x3f); -+ c = (unsigned char)*in++; -+ if ((c & 0xC0) != 0x80) -+ goto fail; -+ i = (i<<6) | (c & 0x3f); -+ } else if ((i & 0xF8) == 0xF0) { -+ i &= 0x7; -+ c = (unsigned char)*in++; -+ if ((c & 0xC0) != 0x80) -+ goto fail; -+ i = (i<<6) | (c & 0x3f); -+ c = (unsigned char)*in++; -+ if ((c & 0xC0) != 0x80) -+ goto fail; -+ i = (i<<6) | (c & 0x3f); -+ c = (unsigned char)*in++; -+ if ((c & 0xC0) != 0x80) -+ goto fail; -+ i = (i<<6) | (c & 0x3f); -+ } -+ if (0) -+ { -+ /* If we fail, unread the last one, and return the unicode replacement char. */ -+fail: -+ in--; -+ i = 0xfffd; -+ } -+ *inp = in; -+ -+ return i; -+} -+ - int utf8_to_wchar(wchar_t *out, const char *in) - { - unsigned int i; -@@ -24,47 +74,37 @@ int utf8_to_wchar(wchar_t *out, const char *in) - - if (out) { - while (i = *(unsigned char *)in++) { -- if (i < 0x80) { -- *out++ = (wchar_t)i; -- len++; -- } else if ((i & 0xE0) == 0xC0) { -- i &= 0x1F; -- c = (unsigned char)*in++; -- if ((c & 0xC0) != 0x80) -- return -1; -- i = (i<<6) | (c & 0x3f); -- *out++ = (wchar_t)i; -- len++; -- } else if ((i & 0xF0) == 0xE0) { -- i &= 0xF; -- c = (unsigned char)*in++; -- if ((c & 0xC0) != 0x80) -- return -1; -- i = (i<<6) | (c & 0x3f); -- c = (unsigned char)*in++; -- if ((c & 0xC0) != 0x80) -- return -1; -- i = (i<<6) | (c & 0x3f); -- *out++ = (wchar_t)i; -+ /* Decode UTF-8 */ -+ i = decode_utf8(&in, i); -+ -+ /* Encode, allowing for surrogates. */ -+ if (i >= 0x10000 && i <= 0x10ffff) -+ { -+ i -= 0x10000; -+ *out++ = 0xd800 + (i>>10); -+ *out++ = 0xdc00 + (i & 0x3ff); - len++; -- } else { -+ } -+ else if (i > 0x10000) -+ { - return -1; - } -+ else -+ *out++ = (wchar_t)i; -+ len++; - } - *out = 0; - } else { - while (i = *(unsigned char *)in++) { -- if (i < 0x80) { -- len++; -- } else if ((i & 0xE0) == 0xC0) { -- in++; -- len++; -- } else if ((i & 0xF0) == 0xE0) { -- in+=2; -+ /* Decode UTF-8 */ -+ i = decode_utf8(&in, i); -+ -+ /* Encode, allowing for surrogates. */ -+ if (i >= 0x10000 && i <= 0x10ffff) - len++; -- } else { -+ else if (i > 0x10000) - return -1; -- } -+ len++; - } - } - return len; -@@ -74,9 +114,32 @@ int wchar_to_utf8(char *out, const wchar_t *in) - { - unsigned int i; - unsigned int len = 1; -+ int hi = -1; - - if (out) { - while (i = (unsigned int)*in++) { -+ /* Decode surrogates */ -+ if (i >= 0xD800 && i <= 0xDBFF) -+ { -+ /* High surrogate. Must be followed by a low surrogate, or this is a failure. */ -+ int hi = i & 0x3ff; -+ int j = (unsigned int)*in++; -+ if (j == 0 || (j <= 0xDC00 || j >= 0xDFFF)) -+ { -+ /* Failure! Unicode replacement char! */ -+ in--; -+ i = 0xfffd; -+ } else { -+ /* Decode surrogates */ -+ i = 0x10000 + (hi<<10) + (j & 0x3ff); -+ } -+ } else if (i >= 0xDC00 && i <= 0xDFFF) -+ { -+ /* Lone low surrogate. Failure. Unicode replacement char. */ -+ i = 0xfffd; -+ } -+ -+ /* Encode output */ - if (i < 0x80) { - *out++ = (char)i; - len++; -@@ -84,22 +147,51 @@ int wchar_to_utf8(char *out, const wchar_t *in) - *out++ = 0xC0 | ( i>> 6 ); - *out++ = 0x80 | ( i & 0x3F); - len+=2; -- } else /* if (i < 0x10000) */ { -+ } else if (i < 0x10000) { - *out++ = 0xE0 | ( i>>12 ); - *out++ = 0x80 | ((i>> 6) & 0x3F); - *out++ = 0x80 | ( i & 0x3F); - len+=3; -+ } else { -+ *out++ = 0xF0 | ( i>>18 ); -+ *out++ = 0x80 | ((i>>12) & 0x3F); -+ *out++ = 0x80 | ((i>> 6) & 0x3F); -+ *out++ = 0x80 | ( i & 0x3F); -+ len+=4; - } - } - *out = 0; - } else { - while (i = (unsigned int)*in++) { -+ /* Decode surrogates */ -+ if (i >= 0xD800 && i <= 0xDBFF) -+ { -+ /* High surrogate. Must be followed by a low surrogate, or this is a failure. */ -+ int hi = i & 0x3ff; -+ int j = (unsigned int)*in++; -+ if (j == 0 || (j <= 0xDC00 || j >= 0xDFFF)) -+ { -+ /* Failure! Unicode replacement char! */ -+ in--; -+ i = 0xfffd; -+ } else { -+ /* Decode surrogates */ -+ i = 0x10000 + (hi<<10) + (j & 0x3ff); -+ } -+ } else if (i >= 0xDC00 && i <= 0xDFFF) -+ { -+ /* Lone low surrogate. Failure. Unicode replacement char. */ -+ i = 0xfffd; -+ } -+ - if (i < 0x80) { - len++; - } else if (i < 0x800) { - len += 2; -- } else /* if (i < 0x10000) */ { -+ } else if (i < 0x10000) { - len += 3; -+ } else { -+ len += 4; - } - } - } --- -2.49.0 - diff --git a/SOURCES/0001-PostScript-interpreter-fix-buffer-length-check.patch b/SOURCES/0001-PostScript-interpreter-fix-buffer-length-check.patch deleted file mode 100644 index 0dcf0d5..0000000 --- a/SOURCES/0001-PostScript-interpreter-fix-buffer-length-check.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/psi/zfile.c b/psi/zfile.c -index 05b8203..ee40a75 100644 ---- a/psi/zfile.c -+++ b/psi/zfile.c -@@ -437,7 +437,7 @@ file_continue(i_ctx_t *i_ctx_p) - if (code == ~(uint) 0) { /* all done */ - esp -= 5; /* pop proc, pfen, devlen, iodev , mark */ - return o_pop_estack; -- } else if (code > len) { /* overran string */ -+ } else if (code > len - devlen) { /* overran string */ - return_error(gs_error_rangecheck); - } - else if (iodev != iodev_default(imemory) diff --git a/SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch b/SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch deleted file mode 100644 index 80b0b7d..0000000 --- a/SOURCES/ghostscript-9.23-100-run-dvipdf-securely.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 91c9c6d17d445781ee572c281b8b9d75d96f9df8 Mon Sep 17 00:00:00 2001 -From: "David Kaspar [Dee'Kej]" -Date: Fri, 7 Oct 2016 13:57:01 +0200 -Subject: [PATCH] Make sure 'dvipdf' is being run securely - ---- - lib/dvipdf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/dvipdf b/lib/dvipdf -index 802aeab..c92dfb0 100755 ---- a/lib/dvipdf -+++ b/lib/dvipdf -@@ -43,4 +43,4 @@ fi - - # We have to include the options twice because -I only takes effect if it - # appears before other options. --exec dvips -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite - -+exec dvips -R -Ppdf $DVIPSOPTIONS -q -f "$infile" | $GS_EXECUTABLE $OPTIONS -q -P- -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=%stderr -sOutputFile="$outfile" $OPTIONS -c .setpdfwrite - --- -2.14.3 - diff --git a/SOURCES/ghostscript-9.27-CVE-2023-28879.patch b/SOURCES/ghostscript-9.27-CVE-2023-28879.patch deleted file mode 100644 index 0629e99..0000000 --- a/SOURCES/ghostscript-9.27-CVE-2023-28879.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Fri, 24 Mar 2023 13:19:57 +0000 -Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding - -Bug #706494 "Buffer Overflow in s_xBCPE_process" - -As described in detail in the bug report, if the write buffer is filled -to one byte less than full, and we then try to write an escaped -character, we overrun the buffer because we don't check before -writing two bytes to it. - -This just checks if we have two bytes before starting to write an -escaped character and exits if we don't (replacing the consumed byte -of the input). - -Up for further discussion; why do we even permit a BCP encoding filter -anyway ? I think we should remove this, at least when SAFER is true. ---- - base/sbcp.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/base/sbcp.c b/base/sbcp.c -index 979ae0992..47fc233ec 100644 ---- a/base/sbcp.c -+++ b/base/sbcp.c -@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, - byte ch = *++p; - - if (ch <= 31 && escaped[ch]) { -+ /* Make sure we have space to store two characters in the write buffer, -+ * if we don't then exit without consuming the input character, we'll process -+ * that on the next time round. -+ */ -+ if (pw->limit - q < 2) { -+ p--; -+ break; -+ } - if (p == rlimit) { - p--; - break; --- -2.39.2 - diff --git a/SOURCES/ghostscript-9.27-CVE-2023-38559.patch b/SOURCES/ghostscript-9.27-CVE-2023-38559.patch deleted file mode 100644 index 74e6fb8..0000000 --- a/SOURCES/ghostscript-9.27-CVE-2023-38559.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Mon, 17 Jul 2023 14:06:37 +0100 -Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from - devices/gdevpcx.c - -Bounds check the buffer, before dereferencing the pointer. ---- - base/gdevdevn.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/gdevdevn.c b/base/gdevdevn.c -index 7b14d9c71..6351fb77a 100644 ---- a/base/gdevdevn.c -+++ b/base/gdevdevn.c -@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file - byte data = *from; - - from += step; -- if (data != *from || from == end) { -+ if (from >= end || data != *from) { - if (data >= 0xc0) - putc(0xc1, file); - } else { --- -2.41.0 - diff --git a/SOURCES/ghostscript-9.27-CVE-2023-4042.patch b/SOURCES/ghostscript-9.27-CVE-2023-4042.patch deleted file mode 100644 index d2b9af7..0000000 --- a/SOURCES/ghostscript-9.27-CVE-2023-4042.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2793769ff107d8d22dadd30c6e68cd781b569550 Mon Sep 17 00:00:00 2001 -From: Julian Smith -Date: Mon, 4 Nov 2019 12:30:33 +0000 -Subject: [PATCH] Bug 701819: fixed ordering in if expression to avoid - out-of-bounds access. - -Fixes: - ./sanbin/gs -dBATCH -dNOPAUSE -r965 -sOutputFile=tmp -sDEVICE=pcx16 ../bug-701819.pdf ---- - devices/gdevpcx.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/devices/gdevpcx.c b/devices/gdevpcx.c -index 1735851d2..91de4abb6 100644 ---- a/devices/gdevpcx.c -+++ b/devices/gdevpcx.c -@@ -442,7 +442,7 @@ pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file) - byte data = *from; - - from += step; -- if (data != *from || from == end) { -+ if (from >= end || data != *from) { - if (data >= 0xc0) - putc(0xc1, file); - } else { --- -2.41.0 - diff --git a/SOURCES/ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch b/SOURCES/ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch deleted file mode 100644 index 35a37b7..0000000 --- a/SOURCES/ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 0b74b65ecc0f36d40b8d04a7fa1fa8b5f9d2b3ff Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Thu, 13 Oct 2022 14:55:28 +0100 -Subject: [PATCH] Deal with different VM modes during CIDFont loading - -To help differentiate between a substituted CIDFont and an embedded one, a -change was made to store the file path in the CIDFont dictionary. That change -failed to account for the possibility that the file object and the CIDFont -dictionary may not be in compatible VM modes. - -This adds code to ensure that the string holding the path is in a suitable VM -mode to be stored into the dictionary. - -Reported by Richard Lescak ---- - Resource/Init/gs_cidfn.ps | 23 +++++++++++++++++++---- - 1 file changed, 19 insertions(+), 4 deletions(-) - -diff --git a/Resource/Init/gs_cidfn.ps b/Resource/Init/gs_cidfn.ps -index 870a2e11c..fa050ed7a 100644 ---- a/Resource/Init/gs_cidfn.ps -+++ b/Resource/Init/gs_cidfn.ps -@@ -1,4 +1,4 @@ --% Copyright (C) 2001-2019 Artifex Software, Inc. -+% Copyright (C) 2001-2022 Artifex Software, Inc. - % All Rights Reserved. - % - % This software is provided AS-IS with no warranty, either express or -@@ -36,6 +36,17 @@ - - 30 dict begin - -+/.gcompatstringcopy % .gcompatstringcopy -+{ -+ dup 2 index gcheck eq -+ { pop } -+ { -+ currentglobal 3 1 roll setglobal -+ dup length string copy -+ exch setglobal -+ } ifelse -+} bind def -+ - % The key in .cidfonttypes is the CIDFontType value; - % the value is a procedure that takes a font name and the CIDFont dictionary - % and replaces the latter with a real font. -@@ -58,7 +69,7 @@ dup 0 { - end - } if - 1 index exch .buildfont9 -- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse -+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse - exch pop - } put % Don't bind it here, because gs_fapi.ps redefines .buildfont9 - -@@ -138,10 +149,11 @@ dup 0 { - - % ------ CIDFontType 1 (FontType 10) ------ % - -+ - dup 1 { - 10 //.checkfonttype exec pop - 1 index exch .buildfont10 -- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse -+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse - exch pop - } put % Don't bind it here because gs_fapi.ps redefines .buildfont10 - -@@ -150,12 +162,15 @@ dup 1 { - dup 2 { - 11 //.checkfonttype exec pop - 1 index exch .buildfont11 -- .currentresourcefile dup type /filetype eq { //.filename {1 index exch /ResourcePath exch put} if }{ pop} ifelse -+ .currentresourcefile dup type /filetype eq { //.filename {1 index gcheck //.gcompatstringcopy exec 1 index exch /ResourcePath exch put} if }{ pop} ifelse - exch pop - } put % Don't bind it here because gs_fapi.ps redefines .buildfont11 - -+currentdict /.gcompatstringcopy .undef -+ - pop % .cidfonttypes - -+ - % ---------------- Reading CIDFontType 0 files ---------------- % - - /StartData { % <(Binary)|(Hex)> StartData - --- -2.37.3 - diff --git a/SOURCES/ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch b/SOURCES/ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch deleted file mode 100644 index e0ba1fe..0000000 --- a/SOURCES/ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -x .git -Napur ghostscript-9.27.old/contrib/japanese/gdevespg.c ghostscript-9.27.new/contrib/japanese/gdevespg.c ---- ghostscript-9.27.old/contrib/japanese/gdevespg.c 2019-04-04 00:43:14.000000000 -0700 -+++ ghostscript-9.27.new/contrib/japanese/gdevespg.c 2023-01-24 11:25:32.588189093 -0800 -@@ -273,6 +273,9 @@ escpage_paper_set(gx_device_printer * pd - int width, height, w, h, wp, hp, bLandscape; - EpagPaperTable *pt; - -+ /* Page size match tolerance in points */ -+ #define TOL 5 -+ - width = pdev->MediaSize[0]; - height = pdev->MediaSize[1]; - -@@ -291,7 +294,7 @@ escpage_paper_set(gx_device_printer * pd - } - - for (pt = epagPaperTable; pt->escpage > 0; pt++) -- if (pt->width == w && pt->height == h) -+ if (abs(w - pt->width) <= TOL && abs(h - pt->height) <= TOL) - break; - - fprintf(fp, "%c%d", GS, pt->escpage); diff --git a/SOURCES/ghostscript-9.27-avoid-divide-by-zero-in-devices.patch b/SOURCES/ghostscript-9.27-avoid-divide-by-zero-in-devices.patch deleted file mode 100644 index bbf1e1f..0000000 --- a/SOURCES/ghostscript-9.27-avoid-divide-by-zero-in-devices.patch +++ /dev/null @@ -1,88 +0,0 @@ -From f70ab2044429fe4b991801476ea3f4b4a5c0cdf4 Mon Sep 17 00:00:00 2001 -From: Julian Smith -Date: Wed, 6 Nov 2019 11:46:10 +0000 -Subject: [PATCH 1/2] Bug 701843: avoid divide by zero caused by custom - resolution being too low. - -Fixes: - ./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r8 -dNOCIE -dFitPage -sOutputFile=tmp -sDEVICE=eps9mid ../bug-701843.pdf ---- - devices/gdevepsn.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/devices/gdevepsn.c b/devices/gdevepsn.c -index 49faaf3d7..3e5388322 100644 ---- a/devices/gdevepsn.c -+++ b/devices/gdevepsn.c -@@ -159,10 +159,10 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high, - int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); - /* Note that in_size is a multiple of 8. */ - int in_size = line_size * (8 * in_y_mult); -- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)"); -- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)"); -- byte *in = buf1; -- byte *out = buf2; -+ byte *buf1; -+ byte *buf2; -+ byte *in; -+ byte *out; - int out_y_mult = (y_24pin ? 3 : 1); - int x_dpi = (int)pdev->x_pixels_per_inch; - char start_graphics = -@@ -174,6 +174,17 @@ eps_print_page(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high, - int bytes_per_space = dots_per_space * out_y_mult; - int tab_min_pixels = x_dpi * MIN_TAB_10THS / 10; - int skip = 0, lnum = 0, pass, ypass; -+ -+ if (bytes_per_space == 0) { -+ /* This avoids divide by zero later on, bug 701843. */ -+ return_error(gs_error_rangecheck); -+ } -+ -+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf1)"); -+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "eps_print_page(buf2)"); -+ in = buf1; -+ out = buf2; -+ - - /* Check allocations */ - if ( buf1 == 0 || buf2 == 0 ) - -diff --git a/devices/gdevepsc.c b/devices/gdevepsc.c ---- a/devices/gdevepsc.c -+++ b/devices/gdevepsc.c -@@ -174,13 +174,7 @@ - int y_mult = (y_24pin ? 3 : 1); - int line_size = (pdev->width + 7) >> 3; /* always mono */ - int in_size = line_size * (8 * y_mult); -- byte *in = -- (byte *) gs_malloc(pdev->memory, in_size + 1, 1, -- "epsc_print_page(in)"); - int out_size = ((pdev->width + 7) & -8) * y_mult; -- byte *out = -- (byte *) gs_malloc(pdev->memory, out_size + 1, 1, -- "epsc_print_page(out)"); - int x_dpi = (int)pdev->x_pixels_per_inch; - char start_graphics = (char) - ((y_24pin ? graphics_modes_24 : graphics_modes_9)[x_dpi / 60]); -@@ -195,6 +189,20 @@ - int color_line_size, color_in_size; - int spare_bits = (pdev->width % 8); /* left over bits to go to margin */ - int whole_bits = pdev->width - spare_bits; -+ byte *out; -+ byte *in; -+ -+ if (bytes_per_space == 0) { -+ /* This avoids divide by zero later on, bug 701843. */ -+ return_error(gs_error_rangecheck); -+ } -+ -+ in = -+ (byte *) gs_malloc(pdev->memory, in_size + 1, 1, -+ "epsc_print_page(in)"); -+ out = -+ (byte *) gs_malloc(pdev->memory, out_size + 1, 1, -+ "epsc_print_page(out)"); - - /* Check allocations */ - if (in == 0 || out == 0) { diff --git a/SOURCES/ghostscript-9.27-fix-bbox.patch b/SOURCES/ghostscript-9.27-fix-bbox.patch deleted file mode 100644 index fdb7f3a..0000000 --- a/SOURCES/ghostscript-9.27-fix-bbox.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff -Napur ghostscript-9.27.old/base/fapi_ft.c ghostscript-9.27.new/base/fapi_ft.c ---- ghostscript-9.27.old/base/fapi_ft.c 2019-04-04 00:43:14.000000000 -0700 -+++ ghostscript-9.27.new/base/fapi_ft.c 2023-03-07 16:41:56.217995052 -0800 -@@ -974,13 +974,19 @@ make_rotation(FT_Matrix * a_transform, c - */ - static void - transform_decompose(FT_Matrix * a_transform, FT_UInt * xresp, FT_UInt * yresp, -- FT_Fixed * a_x_scale, FT_Fixed * a_y_scale) -+ FT_Fixed * a_x_scale, FT_Fixed * a_y_scale, int units_per_EM) - { - double scalex, scaley, fact = 1.0; - double factx = 1.0, facty = 1.0; - FT_Matrix ftscale_mat; - FT_UInt xres; - FT_UInt yres; -+ /* We have to account for units_per_EM as we fiddle with the scaling -+ * in order to avoid underflow (mostly in the TTF hinting code), but -+ * we also want to clamp to a lower value (512, admittedly arrived at -+ * via experimentation) in order to preserve the fidelity of the outlines. -+ */ -+ double upe = units_per_EM > 512 ? (float)units_per_EM : 512.0; - - scalex = hypot((double)a_transform->xx, (double)a_transform->xy); - scaley = hypot((double)a_transform->yx, (double)a_transform->yy); -@@ -1067,10 +1073,25 @@ transform_decompose(FT_Matrix * a_transf - scalex *= fact; - } - -- ftscale_mat.xx = (FT_Fixed) (65536.0 / scalex); -- ftscale_mat.xy = (FT_Fixed) 0; -- ftscale_mat.yx = (FT_Fixed) 0; -- ftscale_mat.yy = (FT_Fixed) (65536.0 / scaley); -+ /* see above */ -+ fact = 1.0; -+ while (scaley * yres > (double)upe * 72.0 && (xres > 0 && yres > 0) -+ && (scalex > 0.0 && scaley > 0.0)) { -+ if (scaley < yres) { -+ xres >>= 1; -+ yres >>= 1; -+ fact *= 2.0; -+ } -+ else { -+ scalex /= 1.25; -+ scaley /= 1.25; -+ } -+ } -+ -+ ftscale_mat.xx = (FT_Fixed) ((65536.0 / scalex) * fact); -+ ftscale_mat.xy = 0; -+ ftscale_mat.yx = 0; -+ ftscale_mat.yy = (FT_Fixed) ((65536.0 / scaley) * fact); - - FT_Matrix_Multiply(a_transform, &ftscale_mat); - memcpy(a_transform, &ftscale_mat, sizeof(FT_Matrix)); -@@ -1315,7 +1336,7 @@ gs_fapi_ft_get_scaled_font(gs_fapi_serve - * transform. - */ - transform_decompose(&face->ft_transform, &face->horz_res, -- &face->vert_res, &face->width, &face->height); -+ &face->vert_res, &face->width, &face->height, face->ft_face->units_per_EM); - - ft_error = FT_Set_Char_Size(face->ft_face, face->width, face->height, - face->horz_res, face->vert_res); diff --git a/SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch b/SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch deleted file mode 100644 index 08aec96..0000000 --- a/SOURCES/ghostscript-9.27-fix-use-of-HWMargins.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -Napur '--exclude=.git' ghostscript-9.27.old/devices/vector/opdfread.ps ghostscript-9.27.new/devices/vector/opdfread.ps ---- ghostscript-9.27.old/devices/vector/opdfread.ps 2019-04-04 00:43:14.000000000 -0700 -+++ ghostscript-9.27.new/devices/vector/opdfread.ps 2022-06-14 17:44:27.963033829 -0700 -@@ -998,10 +998,10 @@ currentdict end readonly def - } if % id obj node - 1 index exch /Context exch put % id obj - dup /ImmediateExec true put -- dup /IsPage true put -- SetPageSize {dup /Context get //SetupPageView exec} if - % This gets restored at the end of ExecuteStream if IsPage is true. - /pagesave save def -+ dup /IsPage true put -+ SetPageSize {dup /Context get //SetupPageView exec} if - } bind def - - /FontFileDaemon % FontFileDaemon diff --git a/SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch b/SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch deleted file mode 100644 index 29dbebb..0000000 --- a/SOURCES/ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 346f12459aa67cdb5ff9e267c2c8cccc17f4a376 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Wed, 15 Mar 2023 15:38:29 +0000 -Subject: [PATCH] Bug 706478: pdfwrite: Substituted TTF CIDFont CID handling - -The PS interpreter callback that handles converting a CID to a TTF GID did -not handle the case of substituted CIDFonts. - -It requires looking up the CID on the Decoding (to get a Unicode code point), -and then looking up the code point in the TTF cmap table to get the GID. - -The rendering code already handled it. ---- - psi/zfcid1.c | 73 +++++++++++++++++++++++++++++++++------------------- - 1 file changed, 46 insertions(+), 27 deletions(-) - -diff --git a/psi/zfcid1.c b/psi/zfcid1.c -index fd502ff12..55de85d45 100644 ---- a/psi/zfcid1.c -+++ b/psi/zfcid1.c -@@ -77,37 +77,56 @@ - int gdbytes = pfont->cidata.common.GDBytes; - int gnum = 0; - const byte *data; -- int i, code; -+ int i, code = -1; - ref rcid; - ref *prgnum; -+ ref *p, *fdict = pfont_dict(pfont); -+ -+ if (r_has_type(fdict, t_dictionary) && dict_find_string(fdict, "Path", &p)) { -+ ref *Decoding = NULL, *TT_cmap = NULL, *SubstNWP = NULL, src_type, dst_type; -+ uint c; -+ -+ code = dict_find_string(fdict, "Decoding", &Decoding); -+ if (code > 0) -+ code = dict_find_string(fdict, "TT_cmap", &TT_cmap); -+ if (code > 0) -+ code = dict_find_string(fdict, "SubstNWP", &SubstNWP); -+ if (code > 0) { -+ code = cid_to_TT_charcode(pfont->memory, Decoding, TT_cmap, SubstNWP, cid, &c, &src_type, &dst_type); -+ if (code >= 0) -+ gnum = c; -+ } -+ } - -- switch (r_type(pcidmap)) { -- case t_string: -- if (cid >= r_size(pcidmap) / gdbytes) -- return_error(gs_error_rangecheck); -- data = pcidmap->value.const_bytes + cid * gdbytes; -- break; -- case t_integer: -- return cid + pcidmap->value.intval; -- case t_dictionary: -- make_int(&rcid, cid); -- code = dict_find(pcidmap, &rcid, &prgnum); -- if (code <= 0) -- return (code < 0 ? code : gs_note_error(gs_error_undefined)); -- if (!r_has_type(prgnum, t_integer)) -- return_error(gs_error_typecheck); -- return prgnum->value.intval; -- default: /* array type */ -- code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes, -- gdbytes, NULL, NULL, &data); -+ if (code < 0) { -+ switch (r_type(pcidmap)) { -+ case t_string: -+ if (cid >= r_size(pcidmap) / gdbytes) -+ return_error(gs_error_rangecheck); -+ data = pcidmap->value.const_bytes + cid * gdbytes; -+ break; -+ case t_integer: -+ return cid + pcidmap->value.intval; -+ case t_dictionary: -+ make_int(&rcid, cid); -+ code = dict_find(pcidmap, &rcid, &prgnum); -+ if (code <= 0) -+ return (code < 0 ? code : gs_note_error(gs_error_undefined)); -+ if (!r_has_type(prgnum, t_integer)) -+ return_error(gs_error_typecheck); -+ return prgnum->value.intval; -+ default: /* array type */ -+ code = string_array_access_proc(pfont->memory, pcidmap, 1, cid * gdbytes, -+ gdbytes, NULL, NULL, &data); - -- if (code < 0) -- return code; -- if ( code > 0 ) -- return_error(gs_error_invalidfont); -+ if (code < 0) -+ return code; -+ if ( code > 0 ) -+ return_error(gs_error_invalidfont); -+ } -+ for (i = 0; i < gdbytes; ++i) -+ gnum = (gnum << 8) + data[i]; - } -- for (i = 0; i < gdbytes; ++i) -- gnum = (gnum << 8) + data[i]; - if (gnum >= pfont->data.trueNumGlyphs) - return_error(gs_error_invalidfont); - return gnum; --- -2.39.2 - diff --git a/SOURCES/ghostscript-cve-2019-10216.patch b/SOURCES/ghostscript-cve-2019-10216.patch deleted file mode 100644 index 83fc1f9..0000000 --- a/SOURCES/ghostscript-cve-2019-10216.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5b85ddd19a8420a1bd2d5529325be35d78e94234 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Fri, 2 Aug 2019 15:18:26 +0100 -Subject: Bug 701394: protect use of .forceput with executeonly - - -diff --git a/Resource/Init/gs_type1.ps b/Resource/Init/gs_type1.ps -index 6c7735bc0c..a039ccee35 100644 ---- a/Resource/Init/gs_type1.ps -+++ b/Resource/Init/gs_type1.ps -@@ -118,25 +118,25 @@ - ( to be the same as glyph: ) print 1 index //== exec } if - 3 index exch 3 index .forceput - % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname -- } -+ }executeonly - {pop} ifelse -- } forall -+ } executeonly forall - pop pop -- } -+ } executeonly - { - pop pop pop - } ifelse -- } -+ } executeonly - { - % scratch(string) RAGL(dict) AGL(dict) CharStrings(dict) cstring gname - pop pop - } ifelse -- } forall -+ } executeonly forall - 3 1 roll pop pop -- } if -+ } executeonly if - pop - dup /.AGLprocessed~GS //true .forceput -- } if -+ } executeonly if - - %% We need to excute the C .buildfont1 in a stopped context so that, if there - %% are errors we can put the stack back sanely and exit. Otherwise callers won't diff --git a/SOURCES/ghostscript-cve-2019-14811-14812-14813.patch b/SOURCES/ghostscript-cve-2019-14811-14812-14813.patch deleted file mode 100644 index ec4164b..0000000 --- a/SOURCES/ghostscript-cve-2019-14811-14812-14813.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Tue, 20 Aug 2019 10:10:28 +0100 -Subject: make .forceput inaccessible - -Bug #701343, #701344, #701345 - -More defensive programming. We don't want people to access .forecput -even though it is no longer sufficient to bypass SAFER. The exploit -in #701343 didn't work anyway because of earlier work to stop the error -handler being used, but nevertheless, prevent access to .forceput from -.setuserparams2. - -diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps -index 4cc7f820f..0fd416465 100644 ---- a/Resource/Init/gs_lev2.ps -+++ b/Resource/Init/gs_lev2.ps -@@ -158,7 +158,7 @@ end - { - pop pop - } ifelse -- } forall -+ } executeonly forall - % A context switch might have occurred during the above loop, - % causing the interpreter-level parameters to be reset. - % Set them again to the new values. From here on, we are safe, -@@ -229,9 +229,9 @@ end - { pop pop - } - ifelse -- } -+ } executeonly - forall pop --} .bind odef -+} .bind executeonly odef - - % Initialize the passwords. - % NOTE: the names StartJobPassword and SystemParamsPassword are known to -diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps -index c158a8faf..422e66e1a 100644 ---- a/Resource/Init/gs_pdfwr.ps -+++ b/Resource/Init/gs_pdfwr.ps -@@ -658,11 +658,11 @@ currentdict /.pdfmarkparams .undef - systemdict /.pdf_hooked_DSC_Creator //true .forceput - } executeonly if - pop -- } if -+ } executeonly if - } { - pop - } ifelse -- } -+ } executeonly - { - pop - } ifelse diff --git a/SOURCES/ghostscript-cve-2019-14817.patch b/SOURCES/ghostscript-cve-2019-14817.patch deleted file mode 100644 index 2e6b7fe..0000000 --- a/SOURCES/ghostscript-cve-2019-14817.patch +++ /dev/null @@ -1,189 +0,0 @@ -diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps -index 1a218f4..cffde5c 100644 ---- a/Resource/Init/pdf_base.ps -+++ b/Resource/Init/pdf_base.ps -@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef - { - dup ==only () = flush - } ifelse % PDFSTEP -- } if % PDFDEBUG -+ } executeonly if % PDFDEBUG - 2 copy .knownget { - exch pop exch pop exch pop exec - } { -diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps -index e18a7c2..0a3924c 100644 ---- a/Resource/Init/pdf_draw.ps -+++ b/Resource/Init/pdf_draw.ps -@@ -501,8 +501,8 @@ end - ( Output may be incorrect.\n) pdfformaterror - //pdfdict /.gs_warning_issued //true .forceput - PDFSTOPONERROR { /gs /undefined signalerror } if -- } if -- } -+ } executeonly if -+ } executeonly - ifelse - } bind executeonly def - -@@ -1142,7 +1142,7 @@ currentdict end readonly def - .setglobal - pdfformaterror - } executeonly ifelse -- } -+ } executeonly - { - currentglobal //pdfdict gcheck .setglobal - //pdfdict /.Qqwarning_issued //true .forceput -@@ -1150,8 +1150,8 @@ currentdict end readonly def - pdfformaterror - } executeonly ifelse - end -- } ifelse -- } loop -+ } executeonly ifelse -+ } executeonly loop - { - (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) - //pdfdict /.Qqwarning_issued .knownget -@@ -1165,14 +1165,14 @@ currentdict end readonly def - .setglobal - pdfformaterror - } executeonly ifelse -- } -+ } executeonly - { - currentglobal //pdfdict gcheck .setglobal - //pdfdict /.Qqwarning_issued //true .forceput - .setglobal - pdfformaterror - } executeonly ifelse -- } if -+ } executeonly if - pop - - % restore pdfemptycount -diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps -index 9fb85f6..357ba30 100644 ---- a/Resource/Init/pdf_font.ps -+++ b/Resource/Init/pdf_font.ps -@@ -677,7 +677,7 @@ currentdict end readonly def - currentglobal 2 index dup gcheck setglobal - /FontInfo 5 dict dup 5 1 roll .forceput - setglobal -- } if -+ } executeonly if - dup /GlyphNames2Unicode .knownget not { - //true % No existing G2U, make one - } { -@@ -701,9 +701,9 @@ currentdict end readonly def - } if - PDFDEBUG { - (.processToUnicode end) = -- } if -- } if -- } stopped -+ } executeonly if -+ } executeonly if -+ } executeonly stopped - { - .dstackdepth 1 countdictstack 1 sub - {pop end} for -@@ -1233,19 +1233,20 @@ currentdict /eexec_pdf_param_dict .undef - //pdfdict /.Qqwarning_issued //true .forceput - } executeonly if - Q -- } repeat -+ } executeonly repeat - Q -- } PDFfile fileposition 2 .execn % Keep pdfcount valid. -+ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. - PDFfile exch setfileposition -- } ifelse -- } { -+ } executeonly ifelse -+ } executeonly -+ { - % PDF Type 3 fonts don't use .notdef - % d1 implementation adjusts the width as needed - 0 0 0 0 0 0 - pdfopdict /d1 get exec - } ifelse - end end -- } bdef -+ } executeonly bdef - dup currentdict Encoding .processToUnicode - currentdict end .completefont exch pop - } bind executeonly odef -@@ -2045,9 +2046,9 @@ currentdict /CMap_read_dict undef - (Will continue, but content may be missing.) = flush - } ifelse - } if -- } if -+ } executeonly if - /findresource cvx /undefined signalerror -- } loop -+ } executeonly loop - } bind executeonly odef - - /buildCIDType0 { % buildCIDType0 -diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps -index 5305ea6..a59e63c 100644 ---- a/Resource/Init/pdf_main.ps -+++ b/Resource/Init/pdf_main.ps -@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef - .setglobal - pdfformaterror - } executeonly ifelse -- } -+ } executeonly - { - currentglobal //pdfdict gcheck .setglobal - //pdfdict /.Qqwarning_issued //true .forceput - .setglobal - pdfformaterror - } executeonly ifelse -- } if -- } if -+ } executeonly if -+ } executeonly if - pop - count PDFexecstackcount sub { pop } repeat - (after exec) VMDEBUG -diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps -index 285e582..6c1f100 100644 ---- a/Resource/Init/pdf_ops.ps -+++ b/Resource/Init/pdf_ops.ps -@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef - .setglobal - pdfformaterror - } executeonly ifelse -- } -+ } executeonly - { - currentglobal //pdfdict gcheck .setglobal - //pdfdict /.Qqwarning_issued //true .forceput - .setglobal - pdfformaterror - } executeonly ifelse -- } if -+ } executeonly if - } bind executeonly odef - - % Save PDF gstate -@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef - dup type /booleantype eq { - .currentSMask type /dicttype eq { - .currentSMask /Processed 2 index .forceput -+ } executeonly -+ { -+ .setSMask -+ }ifelse - } executeonly - { -- .setSMask -- }ifelse -- }{ - .setSMask - }ifelse - diff --git a/SOURCES/ghostscript-cve-2020-16290.patch b/SOURCES/ghostscript-cve-2020-16290.patch deleted file mode 100644 index 9329f39..0000000 --- a/SOURCES/ghostscript-cve-2020-16290.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/devices/gdev3852.c b/devices/gdev3852.c -index e21b403..2bee8ec 100644 ---- a/devices/gdev3852.c -+++ b/devices/gdev3852.c -@@ -76,6 +76,13 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream) - { int lnum; - int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); - int num_blank_lines = 0; -+ -+ if (line_size > DATA_SIZE) { -+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n", -+ line_size, DATA_SIZE); -+ return_error(gs_error_rangecheck); -+ } -+ - for ( lnum = 0; lnum < pdev->height; lnum++ ) - { byte *end_data = data + line_size; - gdev_prn_copy_scan_lines(pdev, lnum, diff --git a/SOURCES/ghostscript-cve-2020-16291.patch b/SOURCES/ghostscript-cve-2020-16291.patch deleted file mode 100644 index 39bc9d8..0000000 --- a/SOURCES/ghostscript-cve-2020-16291.patch +++ /dev/null @@ -1,257 +0,0 @@ -diff --git a/contrib/gdevdj9.c b/contrib/gdevdj9.c -index eec1c77..a4e8e9c 100644 ---- a/contrib/gdevdj9.c -+++ b/contrib/gdevdj9.c -@@ -575,26 +575,55 @@ static int cdj_set_bpp(gx_device *, int, int); - static int - hp_colour_open(gx_device * pdev) - { -- int retCode; -+ int retCode = 0; -+ -+ /* Change the margins if necessary. */ -+ static const float dj_a4[4] = { -+ DESKJET_MARGINS_A4 -+ }; -+ -+ static const float dj_letter[4] = { -+ DESKJET_MARGINS_LETTER -+ }; -+ const float *m = (float *)0; - - cdj970->PageCtr = 0; - -+ /* quality setup */ -+ if (cdj970->quality == DRAFT) { -+ gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0); -+ cdj970->xscal = 0; -+ cdj970->yscal = 0; -+ cdj970->intensities = 2; -+ } else if (cdj970->quality == NORMAL) { -+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); -+ cdj970->xscal = 1; -+ cdj970->yscal = 1; -+ /* intensities = 4 from initialization */ -+ } else { /* quality == PRESENTATION */ -+ gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); -+ cdj970->xscal = 0; -+ cdj970->yscal = 0; -+ /* intensities = 4 from initialization */ -+ } -+ -+ m = (gdev_pcl_paper_size((gx_device *) pdev) == -+ PAPER_SIZE_A4 ? dj_a4 : dj_letter); -+ -+ gx_device_set_margins((gx_device *) pdev, m, true); -+ - /* Set up colour params if put_params has not already done so */ - if (pdev->color_info.num_components == 0) { -- int code = cdj_set_bpp(pdev, pdev->color_info.depth, -+ retCode = cdj_set_bpp(pdev, pdev->color_info.depth, - pdev->color_info.num_components); - -- if (code < 0) -- return code; -+ if (retCode < 0) -+ return retCode; - } - - retCode = gdev_prn_open(pdev); -- if (retCode < 0) -- return (retCode); -- else { -+ if (retCode >= 0) { - retCode = gdev_prn_open_printer(pdev, true); -- if (retCode < 0) -- return (retCode); - } - - return 0; -@@ -648,26 +677,25 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) - int bpp = 0; - int code = 0; - -- code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code); -- code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code); -- code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code); -- code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code); -- code = -- cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0, -- code); -- code = -- cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code); -- code = -- cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code); -- code = -- cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code); -- code = -- cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code); -- code = -- cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0, -- code); -- -- if (code < 0) -+ if ((code = cdj_put_param_int(plist, "BitsPerPixel", &bpp, 1, 32, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_int(plist, "Quality", &quality, 0, 2, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_int(plist, "Papertype", &papertype, 0, 4, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_int(plist, "Duplex", &duplex, 0, 2, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_float(plist, "MasterGamma", &mastergamma, 0.1, 9.0, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_float(plist, "GammaValC", &gammavalc, 0.0, 9.0, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_float(plist, "GammaValM", &gammavalm, 0.0, 9.0, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_float(plist, "GammaValY", &gammavaly, 0.0, 9.0, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_float(plist, "GammaValK", &gammavalk, 0.0, 9.0, code)) < 0) -+ return code; -+ if ((code = cdj_put_param_float(plist, "BlackCorrect", &blackcorrect, 0.0, 9.0, code)) < 0) - return code; - - code = cdj_put_param_bpp(pdev, plist, bpp, bpp, 0); -@@ -676,6 +704,12 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) - return code; - - cdj970->quality = quality; -+ if (cdj970->quality != quality) { -+ if (pdev->is_open) -+ gs_closedevice(pdev); /* quality can change resolution, force re-open */ -+ cdj970->quality = quality; -+ } -+ - cdj970->papertype = papertype; - cdj970->duplex = duplex; - cdj970->mastergamma = mastergamma; -@@ -685,7 +719,7 @@ cdj970_put_params(gx_device * pdev, gs_param_list * plist) - cdj970->gammavalk = gammavalk; - cdj970->blackcorrect = blackcorrect; - -- return 0; -+ return code; - } - - /**********************************************************************************/ -@@ -784,47 +818,6 @@ cdj970_terminate_page(gx_device_printer * pdev, FILE * prn_stream) - fputs("\033*rC\f\033&l-2H", prn_stream); /* End Graphics, Reset */ - } - --/* cdj970_one_time_initialisation: ------------------------------------------------------------------------------------*/ --static void --cdj970_one_time_initialisation(gx_device_printer * pdev) --{ -- /* Change the margins if necessary. */ -- static const float dj_a4[4] = { -- DESKJET_MARGINS_A4 -- }; -- -- static const float dj_letter[4] = { -- DESKJET_MARGINS_LETTER -- }; -- const float *m = (float *)0; -- -- /* quality setup */ -- if (cdj970->quality == DRAFT) { -- gx_device_set_resolution((gx_device *) pdev, 300.0, 300.0); -- cdj970->xscal = 0; -- cdj970->yscal = 0; -- cdj970->intensities = 2; -- } else if (cdj970->quality == NORMAL) { -- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); -- cdj970->xscal = 1; -- cdj970->yscal = 1; -- /* intensities = 4 from initialization */ -- } else { /* quality == PRESENTATION */ -- gx_device_set_resolution((gx_device *) pdev, 600.0, 600.0); -- cdj970->xscal = 0; -- cdj970->yscal = 0; -- /* intensities = 4 from initialization */ -- } -- -- m = (gdev_pcl_paper_size((gx_device *) pdev) == -- PAPER_SIZE_A4 ? dj_a4 : dj_letter); -- -- gx_device_set_margins((gx_device *) pdev, m, true); -- -- cdj970_write_header((gx_device *) pdev, pdev->file); --} -- - /* cdj970_print_page: Here comes the hp970 output routine - ----------------------------------------------------------------------------------*/ - static int -@@ -837,7 +830,7 @@ cdj970_print_page(gx_device_printer * pdev, FILE * prn_stream) - Gamma gamma; - - if (cdj970->PageCtr == 0 && cdj970->ptype == DJ970C) { -- cdj970_one_time_initialisation(pdev); -+ cdj970_write_header((gx_device *)pdev, prn_stream); - } - - /* make a local writable copy of the Gamma tables */ -@@ -2280,6 +2273,11 @@ cdj_set_bpp(gx_device * pdev, int bpp, int ccomps) - ci->dither_colors = (bpp >= 8 ? 5 : bpp > 1 ? 2 : 0); - } - -+ if (ci->depth != ((bpp > 1) && (bpp < 8) ? 8 : bpp)) { -+ if (pdev->is_open) -+ gs_closedevice(pdev); /* depth changed, make sure we re-open */ -+ } -+ - ci->depth = ((bpp > 1) && (bpp < 8) ? 8 : bpp); - - return (0); -@@ -2598,16 +2596,15 @@ cdj_put_param_bpp(gx_device * pdev, - gs_param_list * plist, - int new_bpp, int real_bpp, int ccomps) - { -- if (new_bpp == 0 && ccomps == 0) -- return gdev_prn_put_params(pdev, plist); -- else { -- gx_device_color_info save_info; -- int save_bpp; -- int code; -- -- save_info = pdev->color_info; -- save_bpp = save_info.depth; -+ int code = 0; -+ int save_bpp; -+ gx_device_color_info save_info; -+ save_info = pdev->color_info; -+ save_bpp = save_info.depth; - -+ if (new_bpp == 0 && ccomps == 0) { -+ code = gdev_prn_put_params(pdev, plist); -+ } else { - if (save_bpp == 8 && save_ccomps == 3 && !cprn_device->cmyk) - save_bpp = 3; - -@@ -2631,12 +2628,22 @@ cdj_put_param_bpp(gx_device * pdev, - if ((cdj970->color_info.depth != save_bpp - || (ccomps != 0 && ccomps != save_ccomps)) - && pdev->is_open) -- return (gs_closedevice(pdev)); -+ gs_closedevice(pdev); -+ } -+ -+ /* check for valid resolutions */ -+ if (pdev->HWResolution[0] != pdev->HWResolution[1] || -+ (pdev->HWResolution[0] != 300.0 && pdev->HWResolution[0] != 600.0) ) { -+ param_signal_error(plist, "HWResolution", gs_error_rangecheck); -+ emprintf1(pdev->memory, "\ncdj970: Invalid resolution: '%f'. Only 300 or 600 supported.\n\n", -+ pdev->HWResolution[0]); -+ cdj_set_bpp(pdev, save_bpp, save_ccomps); -+ return gs_error_rangecheck; -+ } -+ return code; - -- return (0); - - #undef save_ccomps -- } - } - - /* cdj970_write_header: diff --git a/SOURCES/ghostscript-cve-2020-16293.patch b/SOURCES/ghostscript-cve-2020-16293.patch deleted file mode 100644 index 21142b6..0000000 --- a/SOURCES/ghostscript-cve-2020-16293.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/base/gxblend.c b/base/gxblend.c -index 7c3d55b..55215d6 100644 ---- a/base/gxblend.c -+++ b/base/gxblend.c -@@ -2174,7 +2174,7 @@ pdf14_compose_group(pdf14_buf *tos, pdf14_buf *nos, pdf14_buf *maskbuf, - overprint == 0) { - /* Additive vs Subtractive makes no difference in normal blend mode with no spots */ - if (tos_isolated) { -- if (has_mask || maskbuf) {/* 7% */ -+ if (has_mask && maskbuf) {/* 7% */ - /* AirPrint test case hits this */ - if (maskbuf && maskbuf->rect.p.x <= x0 && maskbuf->rect.p.y <= y0 && - maskbuf->rect.q.x >= x1 && maskbuf->rect.q.y >= y1) diff --git a/SOURCES/ghostscript-cve-2020-16295.patch b/SOURCES/ghostscript-cve-2020-16295.patch deleted file mode 100644 index 24fc069..0000000 --- a/SOURCES/ghostscript-cve-2020-16295.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/devices/gdevclj.c b/devices/gdevclj.c -index bed13bc..fe17ece 100644 ---- a/devices/gdevclj.c -+++ b/devices/gdevclj.c -@@ -254,7 +254,7 @@ clj_media_size(float mediasize[2], gs_param_list *plist) - gs_param_int_array hwsize; - int have_pagesize = 0; - -- if ( (param_read_float_array(plist, "HWResolution", &fres) == 0) && -+ if ( param_read_float_array(plist, "HWResolution", &fres) != 0 || - !is_supported_resolution(fres.data) ) - return_error(gs_error_rangecheck); - diff --git a/SOURCES/ghostscript-cve-2020-16299.patch b/SOURCES/ghostscript-cve-2020-16299.patch deleted file mode 100644 index 3a9c3bd..0000000 --- a/SOURCES/ghostscript-cve-2020-16299.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c -index 5c8b7fb..53da0ec 100644 ---- a/contrib/japanese/gdev10v.c -+++ b/contrib/japanese/gdev10v.c -@@ -73,8 +73,20 @@ gx_device_procs prn_bj10v_procs = - prn_matrix_procs(gdev_prn_open, bj10v_get_initial_matrix, - gdev_prn_output_page, gdev_prn_close); - #endif -+ -+static int -+bj10v_open(gx_device * pdev) -+{ -+ if (pdev->HWResolution[0] < 180 || -+ pdev->HWResolution[1] < 180) -+ { -+ emprintf(pdev->memory, "device requires a resolution of at least 180dpi\n"); -+ return_error(gs_error_rangecheck); -+ } -+ return gdev_prn_open(pdev); -+} - gx_device_procs prn_bj10v_procs = -- prn_procs(gdev_prn_open, gdev_prn_output_page, gdev_prn_close); -+ prn_procs(bj10v_open, gdev_prn_output_page, gdev_prn_close); - - gx_device_printer gs_bj10v_device = - prn_device(prn_bj10v_procs, "bj10v", -diff --git a/contrib/japanese/gdevalps.c b/contrib/japanese/gdevalps.c -index f29aeb1..d4de619 100644 ---- a/contrib/japanese/gdevalps.c -+++ b/contrib/japanese/gdevalps.c -@@ -155,13 +155,20 @@ static const char end_md[] = { - static int - md_open(gx_device *pdev) - { -- static const float md_margins[4] = -- { MD_SIDE_MARGIN, MD_BOTTOM_MARGIN, -- MD_SIDE_MARGIN, MD_TOP_MARGIN -- }; -- -- gx_device_set_margins(pdev, md_margins, true); -- return gdev_prn_open(pdev); -+ static const float md_margins[4] = -+ { -+ MD_SIDE_MARGIN, MD_BOTTOM_MARGIN, -+ MD_SIDE_MARGIN, MD_TOP_MARGIN -+ }; -+ -+ if (pdev->HWResolution[0] != 600) -+ { -+ emprintf(pdev->memory, "device must have an X resolution of 600dpi\n"); -+ return_error(gs_error_rangecheck); -+ } -+ -+ gx_device_set_margins(pdev, md_margins, true); -+ return gdev_prn_open(pdev); - } - - /* MD5000 monochrome mode entrance. */ diff --git a/SOURCES/ghostscript-cve-2020-16301.patch b/SOURCES/ghostscript-cve-2020-16301.patch deleted file mode 100644 index 582ff6d..0000000 --- a/SOURCES/ghostscript-cve-2020-16301.patch +++ /dev/null @@ -1,75 +0,0 @@ -From f54414c8b15b2c27d1dcadd92cfe84f6d15f18dc Mon Sep 17 00:00:00 2001 -From: Julian Smith -Date: Thu, 31 Oct 2019 13:12:47 +0000 -Subject: [PATCH] Bug 701808: return error from okiibm_print_page1() if x_dpi - too high. - -Avoids asan error in: - ./sanbin/gs -dBATCH -dNOPAUSE -dSAFER -r599 -sOutputFile=tmp -sDEVICE=okiibm ../bug-701808.pdf ---- - devices/gdevokii.c | 46 ++++++++++++++++++++++++++++++++-------------- - 1 file changed, 32 insertions(+), 14 deletions(-) - -diff --git a/devices/gdevokii.c b/devices/gdevokii.c -index d8929a22c..97a1c3b88 100644 ---- a/devices/gdevokii.c -+++ b/devices/gdevokii.c -@@ -96,23 +96,41 @@ okiibm_print_page1(gx_device_printer *pdev, gp_file *prn_stream, int y_9pin_high - -1, 0 /*60*/, 1 /*120*/, -1, 3 /*240*/ - }; - -- int in_y_mult = (y_9pin_high ? 2 : 1); -- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); -- /* Note that in_size is a multiple of 8. */ -- int in_size = line_size * (8 * in_y_mult); -- byte *buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)"); -- byte *buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)"); -- byte *in = buf1; -- byte *out = buf2; -- int out_y_mult = 1; -- int x_dpi = pdev->x_pixels_per_inch; -- char start_graphics = graphics_modes_9[x_dpi / 60]; -- int first_pass = (start_graphics == 3 ? 1 : 0); -- int last_pass = first_pass * 2; -- int y_passes = (y_9pin_high ? 2 : 1); -+ int in_y_mult; -+ int line_size; -+ int in_size; -+ byte *buf1; -+ byte *buf2; -+ byte *in; -+ byte *out; -+ int out_y_mult; -+ int x_dpi; -+ char start_graphics; -+ int first_pass; -+ int last_pass; -+ int y_passes; - int skip = 0, lnum = 0, pass, ypass; - int y_step = 0; - -+ x_dpi = pdev->x_pixels_per_inch; -+ if (x_dpi / 60 >= sizeof(graphics_modes_9)/sizeof(graphics_modes_9[0])) { -+ return_error(gs_error_rangecheck); -+ } -+ in_y_mult = (y_9pin_high ? 2 : 1); -+ line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); -+ /* Note that in_size is a multiple of 8. */ -+ in_size = line_size * (8 * in_y_mult); -+ buf1 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf1)"); -+ buf2 = (byte *)gs_malloc(pdev->memory, in_size, 1, "okiibm_print_page(buf2)"); -+ in = buf1; -+ out = buf2; -+ out_y_mult = 1; -+ start_graphics = graphics_modes_9[x_dpi / 60]; -+ first_pass = (start_graphics == 3 ? 1 : 0); -+ last_pass = first_pass * 2; -+ y_passes = (y_9pin_high ? 2 : 1); -+ y_step = 0; -+ - /* Check allocations */ - if ( buf1 == 0 || buf2 == 0 ) - { if ( buf1 ) --- -2.35.3 - diff --git a/SOURCES/ghostscript-cve-2020-16302.patch b/SOURCES/ghostscript-cve-2020-16302.patch deleted file mode 100644 index bf8b441..0000000 --- a/SOURCES/ghostscript-cve-2020-16302.patch +++ /dev/null @@ -1,228 +0,0 @@ -diff --git a/devices/gdev3852.c b/devices/gdev3852.c -index 2bee8ec..9d99068 100644 ---- a/devices/gdev3852.c -+++ b/devices/gdev3852.c -@@ -62,116 +62,117 @@ jetp3852_print_page(gx_device_printer *pdev, FILE *prn_stream) - #define DATA_SIZE (LINE_SIZE * 8) - - unsigned int cnt_2prn; -- unsigned int count,tempcnt; -- unsigned char vtp,cntc1,cntc2; -- int line_size_color_plane; -- -- byte data[DATA_SIZE]; -- byte plane_data[LINE_SIZE * 3]; -- -- /* Set initial condition for printer */ -- fputs("\033@",prn_stream); -- -- /* Send each scan line in turn */ -- { int lnum; -- int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); -- int num_blank_lines = 0; -- -- if (line_size > DATA_SIZE) { -- emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n", -- line_size, DATA_SIZE); -- return_error(gs_error_rangecheck); -- } -- -- for ( lnum = 0; lnum < pdev->height; lnum++ ) -- { byte *end_data = data + line_size; -- gdev_prn_copy_scan_lines(pdev, lnum, -- (byte *)data, line_size); -- /* Remove trailing 0s. */ -- while ( end_data > data && end_data[-1] == 0 ) -- end_data--; -- if ( end_data == data ) -- { /* Blank line */ -- num_blank_lines++; -- } -- else -- { int i; -- byte *odp; -- byte *row; -- -- /* Pad with 0s to fill out the last */ -- /* block of 8 bytes. */ -- memset(end_data, 0, 7); -- -- /* Transpose the data to get pixel planes. */ -- for ( i = 0, odp = plane_data; i < DATA_SIZE; -- i += 8, odp++ -- ) -- { /* The following is for 16-bit machines */ -+ unsigned int count,tempcnt; -+ unsigned char vtp,cntc1,cntc2; -+ int line_size_color_plane; -+ -+ byte data[DATA_SIZE]; -+ byte plane_data[LINE_SIZE * 3]; -+ -+ /* Initialise data to zeros, otherwise later on, uninitialised bytes in -+ dp[] can be greater than 7, which breaks spr8[dp[]]. */ -+ memset(data, 0x00, DATA_SIZE); -+ -+ -+ /* Set initial condition for printer */ -+ fputs("\033@",prn_stream); -+ -+ /* Send each scan line in turn */ -+ { int lnum; -+ int line_size = gdev_mem_bytes_per_scan_line((gx_device *)pdev); -+ int num_blank_lines = 0; -+ -+ if (line_size > DATA_SIZE) { -+ emprintf2(pdev->memory, "invalid resolution and/or width gives line_size = %d, max. is %d\n", -+ line_size, DATA_SIZE); -+ return_error(gs_error_rangecheck); -+ } -+ -+ for ( lnum = 0; lnum < pdev->height; lnum++ ) -+ { byte *end_data = data + line_size; -+ gdev_prn_copy_scan_lines(pdev, lnum, -+ (byte *)data, line_size); -+ /* Remove trailing 0s. */ -+ while ( end_data > data && end_data[-1] == 0 ) -+ end_data--; -+ if ( end_data == data ) -+ { /* Blank line */ -+ num_blank_lines++; -+ } -+ else -+ { int i; -+ byte *odp; -+ byte *row; -+ -+ /* Transpose the data to get pixel planes. */ -+ for ( i = 0, odp = plane_data; i < DATA_SIZE; -+ i += 8, odp++ -+ ) -+ { /* The following is for 16-bit machines */ - #define spread3(c)\ - { 0, c, c*0x100, c*0x101, c*0x10000L, c*0x10001L, c*0x10100L, c*0x10101L } -- static ulong spr40[8] = spread3(0x40); -- static ulong spr8[8] = spread3(8); -- static ulong spr2[8] = spread3(2); -- register byte *dp = data + i; -- register ulong pword = -- (spr40[dp[0]] << 1) + -- (spr40[dp[1]]) + -- (spr40[dp[2]] >> 1) + -- (spr8[dp[3]] << 1) + -- (spr8[dp[4]]) + -- (spr8[dp[5]] >> 1) + -- (spr2[dp[6]]) + -- (spr2[dp[7]] >> 1); -- odp[0] = (byte)(pword >> 16); -- odp[LINE_SIZE] = (byte)(pword >> 8); -- odp[LINE_SIZE*2] = (byte)(pword); -- } -- /* Skip blank lines if any */ -- if ( num_blank_lines > 0 ) -- { -- /* Do "dot skips" */ -- while(num_blank_lines > 255) -- { -- fputs("\033e\377",prn_stream); -- num_blank_lines -= 255; -- } -- vtp = num_blank_lines; -- fprintf(prn_stream,"\033e%c",vtp); -- num_blank_lines = 0; -- } -- -- /* Transfer raster graphics in the order R, G, B. */ -- /* Apparently it is stored in B, G, R */ -- /* Calculate the amount of data to send by what */ -- /* Ghostscript tells us the scan line_size in (bytes) */ -- -- count = line_size / 3; -- line_size_color_plane = count / 3; -- cnt_2prn = line_size_color_plane * 3 + 5; -- tempcnt = cnt_2prn; -- cntc1 = (tempcnt & 0xFF00) >> 8; -- cntc2 = (tempcnt & 0x00FF); -- fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1); -- fputc('\000',prn_stream); -+ static ulong spr40[8] = spread3(0x40); -+ static ulong spr8[8] = spread3(8); -+ static ulong spr2[8] = spread3(2); -+ register byte *dp = data + i; -+ register ulong pword = -+ (spr40[dp[0]] << 1) + -+ (spr40[dp[1]]) + -+ (spr40[dp[2]] >> 1) + -+ (spr8[dp[3]] << 1) + -+ (spr8[dp[4]]) + -+ (spr8[dp[5]] >> 1) + -+ (spr2[dp[6]]) + -+ (spr2[dp[7]] >> 1); -+ odp[0] = (byte)(pword >> 16); -+ odp[LINE_SIZE] = (byte)(pword >> 8); -+ odp[LINE_SIZE*2] = (byte)(pword); -+ } -+ /* Skip blank lines if any */ -+ if ( num_blank_lines > 0 ) -+ { -+ /* Do "dot skips" */ -+ while(num_blank_lines > 255) -+ { -+ fputs("\033e\377",prn_stream); -+ num_blank_lines -= 255; -+ } -+ vtp = num_blank_lines; -+ fprintf(prn_stream,"\033e%c",vtp); -+ num_blank_lines = 0; -+ } -+ -+ /* Transfer raster graphics in the order R, G, B. */ -+ /* Apparently it is stored in B, G, R */ -+ /* Calculate the amount of data to send by what */ -+ /* Ghostscript tells us the scan line_size in (bytes) */ -+ -+ count = line_size / 3; -+ line_size_color_plane = count / 3; -+ cnt_2prn = line_size_color_plane * 3 + 5; -+ tempcnt = cnt_2prn; -+ cntc1 = (tempcnt & 0xFF00) >> 8; -+ cntc2 = (tempcnt & 0x00FF); -+ fprintf(prn_stream, "\033[O%c%c\200\037",cntc2,cntc1); -+ fputc('\000',prn_stream); - fputs("\124\124",prn_stream); - -- for ( row = plane_data + LINE_SIZE * 2, i = 0; -- i < 3; row -= LINE_SIZE, i++ ) -- { int jj; -- byte ctemp; -- odp = row; -- /* Complement bytes */ -- for (jj=0; jj< line_size_color_plane; jj++) -- { ctemp = *odp; -- *odp++ = ~ctemp; -- } -- fwrite(row, sizeof(byte), -- line_size_color_plane, prn_stream); -- } -- } -- } -- } -+ for ( row = plane_data + LINE_SIZE * 2, i = 0; -+ i < 3; row -= LINE_SIZE, i++ ) -+ { int jj; -+ byte ctemp; -+ odp = row; -+ /* Complement bytes */ -+ for (jj=0; jj< line_size_color_plane; jj++) -+ { ctemp = *odp; -+ *odp++ = ~ctemp; -+ } -+ fwrite(row, sizeof(byte), -+ line_size_color_plane, prn_stream); -+ } -+ } -+ } -+ } - - /* eject page */ - fputs("\014", prn_stream); diff --git a/SOURCES/ghostscript-cve-2020-16304.patch b/SOURCES/ghostscript-cve-2020-16304.patch deleted file mode 100644 index de404aa..0000000 --- a/SOURCES/ghostscript-cve-2020-16304.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff --git a/base/gxicolor.c b/base/gxicolor.c -index 34cfaa4..585bd81 100644 ---- a/base/gxicolor.c -+++ b/base/gxicolor.c -@@ -644,16 +644,16 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat - *(devc_contone_gray+1) = *psrc_temp; - } - } else { -- /* Mono case, forward */ -- psrc_temp = psrc_cm; -- for (k=0; k= xr */ -- psrc_temp++; -+ /* Mono case, forward */ -+ psrc_temp = psrc_cm; -+ for (k=0; k= xr */ -+ psrc_temp++; - } - } - } else { -@@ -668,7 +668,7 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat - xr--; - } /* at loop exit xn will be >= xr */ - psrc_temp++; -- } -+ } - } - break; - /* Monochrome landscape */ -@@ -811,10 +811,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat - dda_next(dda_ht); - xn = fixed2int_var_rounded(dda_current(dda_ht)); - while (xr > xn) { -- for (j = 0; j < spp_out; j++) { -+ for (j = 0; j < spp_out; j++) - *(devc_contone[j] + position) = (psrc_plane[j])[i]; -- position -= LAND_BITS; -- } -+ position -= LAND_BITS; - xr--; - } /* at loop exit xn will be <= xr */ - i++; -@@ -825,9 +824,8 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat - and 2x scaling which we will run into in 300 and - 600dpi devices and content */ - /* Apply initial offset */ -- for (k = 0; k < spp_out; k++) { -+ for (k = 0; k < spp_out; k++) - devc_contone[k] = devc_contone[k] + position; -- } - if (src_size == dest_height) { - for (k = 0; k < data_length; k++) { - /* Is it better to unwind this? We know it is 4 */ -@@ -853,10 +851,9 @@ image_render_color_thresh(gx_image_enum *penum_orig, const byte *buffer, int dat - dda_next(dda_ht); - xn = fixed2int_var_rounded(dda_current(dda_ht)); - while (xr > xn) { -- for (j = 0; j < spp_out; j++) { -+ for (j = 0; j < spp_out; j++) - *(devc_contone[j] + position) = (psrc_plane[j])[i]; -- position -= LAND_BITS; -- } -+ position -= LAND_BITS; - xr--; - } /* at loop exit xn will be <= xr */ - i++; diff --git a/SOURCES/ghostscript-cve-2020-16306.patch b/SOURCES/ghostscript-cve-2020-16306.patch deleted file mode 100644 index 97241f0..0000000 --- a/SOURCES/ghostscript-cve-2020-16306.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c -index 6a50a4a..471fcb5 100644 ---- a/devices/gdevtsep.c -+++ b/devices/gdevtsep.c -@@ -2332,6 +2332,7 @@ tiffsep_print_page(gx_device_printer * pdev, FILE * file) - "\nUse of the %%d format is required to output more than one page to tiffsep.\n" - "See doc/Devices.htm#TIFF for details.\n\n"); - code = gs_note_error(gs_error_ioerror); -+ goto done; - } - /* Write the page directory for the CMYK equivalent file. */ - if (!tfdev->comp_file) { -@@ -2685,6 +2686,7 @@ tiffsep1_print_page(gx_device_printer * pdev, FILE * file) - "\nUse of the %%d format is required to output more than one page to tiffsep1.\n" - "See doc/Devices.htm#TIFF for details.\n\n"); - code = gs_note_error(gs_error_ioerror); -+ goto done; - } - /* If the output file is on disk and the name contains a page #, */ - /* then delete the previous file. */ diff --git a/SOURCES/ghostscript-cve-2020-16307.patch b/SOURCES/ghostscript-cve-2020-16307.patch deleted file mode 100644 index 069d8fa..0000000 --- a/SOURCES/ghostscript-cve-2020-16307.patch +++ /dev/null @@ -1,205 +0,0 @@ -diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c -index b958027..7f02608 100644 ---- a/devices/vector/gdevtxtw.c -+++ b/devices/vector/gdevtxtw.c -@@ -1693,97 +1693,100 @@ static int get_unicode(textw_text_enum_t *penum, gs_font *font, gs_glyph glyph, - - length = font->procs.decode_glyph((gs_font *)font, glyph, ch, NULL, 0); - if (length == 0) { -- code = font->procs.glyph_name(font, glyph, &gnstr); -- if (code >= 0 && gnstr.size == 7) { -- if (!memcmp(gnstr.data, "uni", 3)) { -- static const char *hexdigits = "0123456789ABCDEF"; -- char *d0 = strchr(hexdigits, gnstr.data[3]); -- char *d1 = strchr(hexdigits, gnstr.data[4]); -- char *d2 = strchr(hexdigits, gnstr.data[5]); -- char *d3 = strchr(hexdigits, gnstr.data[6]); -- -- if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) { -- *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits); -- return 1; -- } -- } -- } -- if (length == 0) { -- single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList; -- double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList; -- treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList; -- quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList; -- -- /* Search glyph to single Unicode value table */ -- while (sentry->Glyph != 0) { -- if (sentry->Glyph[0] < gnstr.data[0]) { -- sentry++; -- continue; -- } -- if (sentry->Glyph[0] > gnstr.data[0]){ -- break; -- } -- if (strlen(sentry->Glyph) == gnstr.size) { -- if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) { -- *Buffer = sentry->Unicode; -+ if (glyph != GS_NO_GLYPH) { -+ code = font->procs.glyph_name(font, glyph, &gnstr); -+ if (code >= 0 && gnstr.size == 7) { -+ if (!memcmp(gnstr.data, "uni", 3)) { -+ static const char *hexdigits = "0123456789ABCDEF"; -+ char *d0 = strchr(hexdigits, gnstr.data[3]); -+ char *d1 = strchr(hexdigits, gnstr.data[4]); -+ char *d2 = strchr(hexdigits, gnstr.data[5]); -+ char *d3 = strchr(hexdigits, gnstr.data[6]); -+ -+ if (d0 != NULL && d1 != NULL && d2 != NULL && d3 != NULL) { -+ *Buffer++ = ((d0 - hexdigits) << 12) + ((d1 - hexdigits) << 8) + ((d2 - hexdigits) << 4) + (d3 - hexdigits); - return 1; - } - } -- sentry++; - } - -- /* Search glyph to double Unicode value table */ -- while (dentry->Glyph != 0) { -- if (dentry->Glyph[0] < gnstr.data[0]) { -- dentry++; -- continue; -- } -- if (dentry->Glyph[0] > gnstr.data[0]){ -- break; -- } -- if (strlen(dentry->Glyph) == gnstr.size) { -- if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { -- memcpy(Buffer, dentry->Unicode, 2); -- return 2; -+ if (length == 0) { -+ single_glyph_list_t *sentry = (single_glyph_list_t *)&SingleGlyphList; -+ double_glyph_list_t *dentry = (double_glyph_list_t *)&DoubleGlyphList; -+ treble_glyph_list_t *tentry = (treble_glyph_list_t *)&TrebleGlyphList; -+ quad_glyph_list_t *qentry = (quad_glyph_list_t *)&QuadGlyphList; -+ -+ /* Search glyph to single Unicode value table */ -+ while (sentry->Glyph != 0) { -+ if (sentry->Glyph[0] < gnstr.data[0]) { -+ sentry++; -+ continue; -+ } -+ if (sentry->Glyph[0] > gnstr.data[0]){ -+ break; -+ } -+ if (strlen(sentry->Glyph) == gnstr.size) { -+ if(memcmp(gnstr.data, sentry->Glyph, gnstr.size) == 0) { -+ *Buffer = sentry->Unicode; -+ return 1; -+ } - } -+ sentry++; - } -- dentry++; -- } - -- /* Search glyph to triple Unicode value table */ -- while (tentry->Glyph != 0) { -- if (tentry->Glyph[0] < gnstr.data[0]) { -- tentry++; -- continue; -- } -- if (tentry->Glyph[0] > gnstr.data[0]){ -- break; -- } -- if (strlen(tentry->Glyph) == gnstr.size) { -- if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { -- memcpy(Buffer, tentry->Unicode, 3); -- return 3; -+ /* Search glyph to double Unicode value table */ -+ while (dentry->Glyph != 0) { -+ if (dentry->Glyph[0] < gnstr.data[0]) { -+ dentry++; -+ continue; - } -+ if (dentry->Glyph[0] > gnstr.data[0]){ -+ break; -+ } -+ if (strlen(dentry->Glyph) == gnstr.size) { -+ if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) { -+ memcpy(Buffer, dentry->Unicode, 2); -+ return 2; -+ } -+ } -+ dentry++; - } -- tentry++; -- } - -- /* Search glyph to quadruple Unicode value table */ -- while (qentry->Glyph != 0) { -- if (qentry->Glyph[0] < gnstr.data[0]) { -- qentry++; -- continue; -- } -- if (qentry->Glyph[0] > gnstr.data[0]){ -- break; -+ /* Search glyph to triple Unicode value table */ -+ while (tentry->Glyph != 0) { -+ if (tentry->Glyph[0] < gnstr.data[0]) { -+ tentry++; -+ continue; -+ } -+ if (tentry->Glyph[0] > gnstr.data[0]){ -+ break; -+ } -+ if (strlen(tentry->Glyph) == gnstr.size) { -+ if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) { -+ memcpy(Buffer, tentry->Unicode, 3); -+ return 3; -+ } -+ } -+ tentry++; - } -- if (strlen(qentry->Glyph) == gnstr.size) { -- if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { -- memcpy(Buffer, qentry->Unicode, 4); -- return 4; -+ -+ /* Search glyph to quadruple Unicode value table */ -+ while (qentry->Glyph != 0) { -+ if (qentry->Glyph[0] < gnstr.data[0]) { -+ qentry++; -+ continue; -+ } -+ if (qentry->Glyph[0] > gnstr.data[0]){ -+ break; - } -+ if (strlen(qentry->Glyph) == gnstr.size) { -+ if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) { -+ memcpy(Buffer, qentry->Unicode, 4); -+ return 4; -+ } -+ } -+ qentry++; - } -- qentry++; - } - } - *Buffer = fallback; -@@ -1890,8 +1893,8 @@ txtwrite_process_cmap_text(gs_text_enum_t *pte) - pte->returned.total_width.x += dpt.x; - pte->returned.total_width.y += dpt.y; - -- penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]); - penum->Widths[penum->TextBufferIndex] += dpt.x; -+ penum->TextBufferIndex += get_unicode(penum, (gs_font *)pte->orig_font, glyph, chr, &penum->TextBuffer[penum->TextBufferIndex]); - break; - case 2: /* end of string */ - return 0; -diff --git a/psi/zbfont.c b/psi/zbfont.c -index 262fea9..abc03aa 100644 ---- a/psi/zbfont.c -+++ b/psi/zbfont.c -@@ -272,7 +272,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u - * can't be a default value for FontInfo.GlyphNames2Unicode . - */ - } -- if (glyph <= GS_MIN_CID_GLYPH) { -+ if (glyph <= GS_MIN_CID_GLYPH && glyph != GS_NO_GLYPH) { - UnicodeDecoding = zfont_get_to_unicode_map(font->dir); - if (UnicodeDecoding != NULL && r_type(UnicodeDecoding) == t_dictionary) - return gs_font_map_glyph_by_dict(font->memory, UnicodeDecoding, glyph, u, length); diff --git a/SOURCES/ghostscript-cve-2020-16310.patch b/SOURCES/ghostscript-cve-2020-16310.patch deleted file mode 100644 index 911220e..0000000 --- a/SOURCES/ghostscript-cve-2020-16310.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff --git a/devices/gdevdm24.c b/devices/gdevdm24.c -index 4736f4f..2f610cd 100644 ---- a/devices/gdevdm24.c -+++ b/devices/gdevdm24.c -@@ -51,21 +51,39 @@ static void dot24_improve_bitmap (byte *, int); - static int - dot24_print_page (gx_device_printer *pdev, FILE *prn_stream, char *init_string, int init_len) - { -- int xres = (int)pdev->x_pixels_per_inch; -- int yres = (int)pdev->y_pixels_per_inch; -- int x_high = (xres == 360); -- int y_high = (yres == 360); -- int bits_per_column = (y_high ? 48 : 24); -- uint line_size = gdev_prn_raster (pdev); -- uint in_size = line_size * bits_per_column; -- byte *in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)"); -- uint out_size = ((pdev->width + 7) & -8) * 3; -- byte *out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)"); -- int y_passes = (y_high ? 2 : 1); -- int dots_per_space = xres / 10; /* pica space = 1/10" */ -- int bytes_per_space = dots_per_space * 3; -+ int xres; -+ int yres; -+ int x_high; -+ int y_high; -+ int bits_per_column; -+ uint line_size; -+ uint in_size; -+ byte *in; -+ uint out_size; -+ byte *out; -+ int y_passes; -+ int dots_per_space; -+ int bytes_per_space; - int skip = 0, lnum = 0, ypass; - -+ xres = (int)pdev->x_pixels_per_inch; -+ yres = (int)pdev->y_pixels_per_inch; -+ x_high = (xres == 360); -+ y_high = (yres == 360); -+ dots_per_space = xres / 10; /* pica space = 1/10" */ -+ bytes_per_space = dots_per_space * 3; -+ if (bytes_per_space == 0) { -+ /* We divide by bytes_per_space later on. */ -+ return_error(gs_error_rangecheck); -+ } -+ bits_per_column = (y_high ? 48 : 24); -+ line_size = gdev_prn_raster (pdev); -+ in_size = line_size * bits_per_column; -+ in = (byte *) gs_malloc (pdev->memory, in_size, 1, "dot24_print_page (in)"); -+ out_size = ((pdev->width + 7) & -8) * 3; -+ out = (byte *) gs_malloc (pdev->memory, out_size, 1, "dot24_print_page (out)"); -+ y_passes = (y_high ? 2 : 1); -+ - /* Check allocations */ - if (in == 0 || out == 0) - { diff --git a/SOURCES/gs-CVE-2023-46751.patch b/SOURCES/gs-CVE-2023-46751.patch deleted file mode 100644 index 0c8c6c8..0000000 --- a/SOURCES/gs-CVE-2023-46751.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/base/gdevprn.c b/base/gdevprn.c -index 459846a..84802d9 100644 ---- a/base/gdevprn.c -+++ b/base/gdevprn.c -@@ -1331,6 +1331,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode, - && !IS_LIBCTX_STDERR(pdev->memory ,ppdev->file)) { - - code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file); -+ ppdev->file = NULL; - if (code < 0) - return code; - } diff --git a/SOURCES/gs-cve-2024-33871.patch b/SOURCES/gs-cve-2024-33871.patch deleted file mode 100644 index 596eb0d..0000000 --- a/SOURCES/gs-cve-2024-33871.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps -index 55a785e..be77534 100644 ---- a/Resource/Init/gs_init.ps -+++ b/Resource/Init/gs_init.ps -@@ -2607,4 +2607,6 @@ WRITESYSTEMDICT { - % be 'true' in some cases. - userdict /AGM_preserve_spots //false put - -+.opvpactivatepathcontrol -+ - % The interpreter will run the initial procedure (start). -diff --git a/base/gslibctx.c b/base/gslibctx.c -index 1ed6093..14fb57c 100644 ---- a/base/gslibctx.c -+++ b/base/gslibctx.c -@@ -435,3 +435,27 @@ gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, co - } - return code; - } -+ -+void -+opvp_activate_path_control(gs_memory_t *mem, int enable) -+{ -+ gs_lib_ctx_core_t *core; -+ -+ if (mem == NULL || mem->gs_lib_ctx == NULL || -+ (core = mem->gs_lib_ctx->core) == NULL) -+ return; -+ -+ core->opvp_path_control_active = enable; -+} -+ -+int -+opvp_is_path_control_active(const gs_memory_t *mem) -+{ -+ gs_lib_ctx_core_t *core; -+ -+ if (mem == NULL || mem->gs_lib_ctx == NULL || -+ (core = mem->gs_lib_ctx->core) == NULL) -+ return 0; -+ -+ return core->opvp_path_control_active; -+} -diff --git a/base/gslibctx.h b/base/gslibctx.h -index 1481cb5..e4b3924 100644 ---- a/base/gslibctx.h -+++ b/base/gslibctx.h -@@ -61,6 +61,8 @@ typedef struct { - bool CPSI_mode; - int scanconverter; - int act_on_uel; -+ -+ int opvp_path_control_active; - } gs_lib_ctx_core_t; - - typedef struct gs_lib_ctx_s -@@ -167,4 +169,10 @@ int sjpxd_create(gs_memory_t *mem); - - void sjpxd_destroy(gs_memory_t *mem); - -+void -+opvp_activate_path_control(gs_memory_t *mem, int enable); -+ -+int -+opvp_is_path_control_active(const gs_memory_t *mem); -+ - #endif /* GSLIBCTX_H */ -diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c -index 9a6b45b..9693673 100644 ---- a/contrib/opvp/gdevopvp.c -+++ b/contrib/opvp/gdevopvp.c -@@ -185,7 +185,7 @@ static int opvp_copy_color(gx_device *, const byte *, int, int, - static int _get_params(gs_param_list *); - static int opvp_get_params(gx_device *, gs_param_list *); - static int oprp_get_params(gx_device *, gs_param_list *); --static int _put_params(gs_param_list *); -+static int _put_params(gx_device *, gs_param_list *); - static int opvp_put_params(gx_device *, gs_param_list *); - static int oprp_put_params(gx_device *, gs_param_list *); - static int opvp_fill_path(gx_device *, const gs_gstate *, gx_path *, -@@ -3039,7 +3039,7 @@ _get_params(gs_param_list *plist) - /* vector driver name */ - pname = "Driver"; - vdps.data = (byte *)vectorDriver; -- vdps.size = (vectorDriver ? strlen(vectorDriver) + 1 : 0); -+ vdps.size = (vectorDriver ? strlen(vectorDriver) : 0); - vdps.persistent = false; - code = param_write_string(plist, pname, &vdps); - if (code) ecode = code; -@@ -3176,7 +3176,7 @@ oprp_get_params(gx_device *dev, gs_param_list *plist) - * put params - */ - static int --_put_params(gs_param_list *plist) -+_put_params(gx_device *dev, gs_param_list *plist) - { - int code; - int ecode = 0; -@@ -3198,6 +3198,12 @@ _put_params(gs_param_list *plist) - code = param_read_string(plist, pname, &vdps); - switch (code) { - case 0: -+ if (opvp_is_path_control_active(dev->memory) -+ && (!vectorDriver || strlen(vectorDriver) != vdps.size -+ || memcmp(vectorDriver, vdps.data, vdps.size) != 0)) { -+ param_signal_error(plist, pname, gs_error_invalidaccess); -+ return_error(gs_error_invalidaccess); -+ } - buff = realloc(buff, vdps.size + 1); - memcpy(buff, vdps.data, vdps.size); - buff[vdps.size] = 0; -@@ -3399,7 +3405,7 @@ opvp_put_params(gx_device *dev, gs_param_list *plist) - int code; - - /* put params */ -- code = _put_params(plist); -+ code = _put_params(dev, plist); - if (code) return code; - - /* put default params */ -@@ -3415,7 +3421,7 @@ oprp_put_params(gx_device *dev, gs_param_list *plist) - int code; - - /* put params */ -- code = _put_params(plist); -+ code = _put_params(dev, plist); - if (code) return code; - - /* put default params */ -diff --git a/psi/zfile.c b/psi/zfile.c -index 271a1a0..05b8203 100644 ---- a/psi/zfile.c -+++ b/psi/zfile.c -@@ -875,6 +875,12 @@ static int zgetfilename(i_ctx_t *i_ctx_p) - return 0; - } - -+static int zopvpactivatepathcontrol(i_ctx_t *i_ctx_p) -+{ -+ opvp_activate_path_control(imemory, 1); -+ return 0; -+} -+ - /* ------ Initialization procedure ------ */ - - const op_def zfile_op_defs[] = -@@ -893,6 +899,7 @@ const op_def zfile_op_defs[] = - {"0%file_continue", file_continue}, - {"0%execfile_finish", execfile_finish}, - {"1.getfilename", zgetfilename}, -+ {"0.opvpactivatepathcontrol", zopvpactivatepathcontrol}, - op_def_end(0) - }; - diff --git a/ghostscript-10.02.1-PostScript-Fix-selectdevice.patch b/ghostscript-10.02.1-PostScript-Fix-selectdevice.patch new file mode 100644 index 0000000..3aefed8 --- /dev/null +++ b/ghostscript-10.02.1-PostScript-Fix-selectdevice.patch @@ -0,0 +1,33 @@ +From 2febe352146a62c77d62a5b5dde9607f66575d14 Mon Sep 17 00:00:00 2001 +Message-ID: <2febe352146a62c77d62a5b5dde9607f66575d14.1699398720.git.mjg@fedoraproject.org> +From: Ken Sharp +Date: Mon, 6 Nov 2023 15:30:18 +0000 +Subject: [PATCH] PostScript - Fix selectdevice + +Bug 707310 "`selectdevice` no longer works" + +This was an oversight. Fixed here. + +In future I anticipate removing selectdevice as well, as it doesn't do +anything that can't be done using setpagedevice (and .defaultscreen). +However, it is currently documented, so this restores the behaviour. +--- + Resource/Init/gs_init.ps | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps +index 958e8247c..d6b55efb2 100644 +--- a/Resource/Init/gs_init.ps ++++ b/Resource/Init/gs_init.ps +@@ -871,7 +871,7 @@ currentdict /.makeinternaldict .undef + ifelse + } bind def + /selectdevice +- { finddevice setdevice .setdefaultscreen } bind def ++ { finddevice setdevice .setdefaultscreen } bind odef + /signalerror % signalerror - + { /errordict .systemvar exch get exec } bind def + /signaloperror { % signaloperror - +-- +2.43.0.rc0.447.g76a1efa614 + diff --git a/ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch b/ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch new file mode 100644 index 0000000..2eddb04 --- /dev/null +++ b/ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch @@ -0,0 +1,31 @@ +From ea661034db7eb667375981dae883d0c9e7d79799 Mon Sep 17 00:00:00 2001 +Message-ID: +From: Ken Sharp +Date: Mon, 18 Sep 2023 17:40:18 +0100 +Subject: [PATCH] txtwrite device - needs to countdown the device on + text_release + +Bug #707132 "Error: finalizing subclassing device while child refcount > 1" + +The txtwrite device calls gs_text_enum_init() which counts up the +device, but does not count it down again when the enumertor is +released. Fixed here. +--- + devices/vector/gdevtxtw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/devices/vector/gdevtxtw.c b/devices/vector/gdevtxtw.c +index f64284f07..089d32f7e 100644 +--- a/devices/vector/gdevtxtw.c ++++ b/devices/vector/gdevtxtw.c +@@ -2059,6 +2059,7 @@ textw_text_release(gs_text_enum_t *pte, client_name_t cname) + gs_free(tdev->memory, penum->text_state, 1, sizeof(penum->text_state), "txtwrite free text state"); + penum->text_state = NULL; + } ++ rc_decrement_only(pte->dev, "textw_text_release"); + } + + /* This is the list of methods for the text enumerator */ +-- +2.43.0.rc0.447.g76a1efa614 + diff --git a/SPECS/ghostscript.spec b/ghostscript.spec similarity index 80% rename from SPECS/ghostscript.spec rename to ghostscript.spec index eb8e142..0f6b69e 100644 --- a/SPECS/ghostscript.spec +++ b/ghostscript.spec @@ -27,25 +27,40 @@ # tarballs, and their release tags/branches do not use the dot in version # tag. This makes obtaining the current version harder, and might prevent # automatic builds of new releases... -%global version_short %(echo "%{version}" | tr -d '.') +%global version_short %%(echo "%{version}" | tr -d '.') +# Starting version of new sup-package layout scheme for Ghostscript, which is +# conflicting with the previous sup-package layout scheme. +# # Obtain the location of Google Droid fonts directory: %global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback")) +# Desired jbig2dec header files and library version +# Apparantly, ghostscript complains even about newer versions +# Please update if needed. +%global jbig2dec_version 0.20 + # ============================================================================= Name: ghostscript Summary: Interpreter for PostScript language & PDF -Version: 9.27 +Version: 10.02.1 Release: 16%{?dist} -License: AGPLv3+ +License: AGPL-3.0-or-later URL: https://ghostscript.com/ Source: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz Requires: libgs%{?_isa} = %{version}-%{release} -Requires: jbig2dec-libs >= 0.16 +Requires: jbig2dec-libs = %{jbig2dec_version} +Requires: %{name}-tools-fonts = %{version}-%{release} +Requires: %{name}-tools-printing = %{version}-%{release} + +Provides: ghostscript-core = %{version}-%{release} +Obsoletes: ghostscript-core < 9.53.3-6 +Provides: ghostscript-x11 = %{version}-%{release} +Obsoletes: ghostscript-x11 < 10.01.0-1 # Auxiliary build requirements: BuildRequires: automake @@ -61,11 +76,14 @@ BuildRequires: urw-base35-fonts-devel # Already packaged software -- needed for debundling of Ghostscript: BuildRequires: cups-devel BuildRequires: dbus-devel +# we use fc-list in generating macros at the top of SPEC file +BuildRequires: fontconfig BuildRequires: fontconfig-devel BuildRequires: freetype-devel -BuildRequires: jbig2dec-devel +BuildRequires: jbig2dec-devel = %{jbig2dec_version} +BuildRequires: jbig2dec-libs = %{jbig2dec_version} BuildRequires: lcms2-devel -BuildRequires: libidn-devel +BuildRequires: libidn2-devel BuildRequires: libijs-devel BuildRequires: libjpeg-turbo-devel BuildRequires: libpng-devel @@ -77,6 +95,7 @@ BuildRequires: zlib-devel # Enabling the GUI possibilities of Ghostscript: BuildRequires: gtk3-devel BuildRequires: libXt-devel +BuildRequires: make # ============================================================================= @@ -88,75 +107,50 @@ BuildRequires: libXt-devel # Upstream patches -- official upstream patches released by upstream since the # ---------------- last rebase that are necessary for any reason: #Patch000: example000.patch -Patch001: ghostscript-cve-2019-10216.patch -Patch002: ghostscript-cve-2019-14811-14812-14813.patch -Patch003: ghostscript-cve-2019-14817.patch -# fixed in 9.51 -Patch004: ghostscript-cve-2020-16290.patch -Patch005: ghostscript-cve-2020-16291.patch -Patch006: ghostscript-cve-2020-16293.patch -Patch007: ghostscript-cve-2020-16295.patch -Patch008: ghostscript-cve-2020-16299.patch -Patch009: ghostscript-cve-2020-16302.patch -Patch010: ghostscript-cve-2020-16304.patch -Patch011: ghostscript-cve-2020-16306.patch -Patch012: ghostscript-cve-2020-16307.patch -Patch013: ghostscript-cve-2020-16310.patch -Patch014: ghostscript-cve-2020-16301.patch -# 2097448 - printed text drifts to the right -Patch015: ghostscript-9.27-fix-use-of-HWMargins.patch -Patch016: ghostscript-9.27-Deal-with-different-VM-modes-during-CIDFont-loading.patch -Patch017: ghostscript-9.27-ESC-Page-driver-does-not-set-page-size-correctly.patch -Patch018: ghostscript-9.27-fix-bbox.patch -Patch019: ghostscript-9.27-pdfwrite-Substituted-TTF-CIDFont-CID-hand.patch -Patch020: ghostscript-9.27-CVE-2023-28879.patch -Patch021: ghostscript-9.27-CVE-2023-38559.patch -Patch022: ghostscript-9.27-CVE-2023-4042.patch -Patch023: ghostscript-9.27-avoid-divide-by-zero-in-devices.patch -# RHEL-38837 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library -# the patch is based on upstream code from 9.50, where a new -dSAFER implementation was introduced and -# -dSAFER was made default for any gs calls. To do not backport the whole new -dSAFER implementation, -# to do not collide with any future backports related with -dSAFER and to do not change the current default -# for ghostscript in RHEL 8, only part of the new -dSAFER implementation was backported, -# and the several functions, variables and macros prefix was changed to 'opvp' and used only -# for OPVP device, which results in changing the default only for this device and fixing the CVE. -# Downside of the fix is if someone depends on unsafe settings of driver for OPVP device -# (via Postscript code in command -c, via Postscript code in input file), gs will start to fail. -Patch024: gs-cve-2024-33871.patch -# RHEL-61729 Ghostscript is generating PJL of a significantly larger size -# Patches: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch -# 0001-Bug-701568-followup-Fix-RLE-compressor.patch -# 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch -Patch025: 0001-Bug-701568-Fix-gdevpx.c-RLE-stream-handling.patch -Patch026: 0001-Bug-701568-followup-Fix-RLE-compressor.patch -Patch027: 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch -# RHEL-18396 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable() -# partially taken from https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dcdbc595c13c9 -Patch028: gs-CVE-2023-46751.patch -# RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space -# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7 -Patch029: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch -# RHEL-15067 CVE-2020-27792 ghostscript: heap buffer over write vulnerability in GhostScript's lp8000_print_page() in gdevlp8k.c -# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=4f6bc662909a -Patch030: 0001-Bug-701844-fixed-output-buffer-size-worst-case-in-lp.patch -# RHEL-67051 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding -# implementing decode_utf8() https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=4fcf527584da2053 -# CVE fix, updated for gp_wutf8() in 9.27 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b -Patch031: 0001-Bug-705911-Fix-Ghostscript-s-encoding-decoding-of-UT.patch -Patch032: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch -# RHEL-67051 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript +Patch: ghostscript-10.02.1-txtwrite-device-needs-to-countdown-the-device-on-tex.patch +Patch: ghostscript-10.02.1-PostScript-Fix-selectdevice.patch +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7beb19ad06e +Patch: 0001-Bug-707130-Cast-to-void-to-avoid-compiler-warning.patch +# https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8f5c77af6c0b +Patch: 0001-X-device-fix-compiler-warning.patch +# RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library +Patch: 0001-OPVP-device-prevent-unsafe-parameter-change-with-SAF.patch +# RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths +Patch: 0001-Bug-707686.patch +# RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter +Patch: 0001-Bug-707510-don-t-use-strlen-on-passwords.patch +# RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() +Patch: 0001-Bug-707510-review-printing-of-pointers.patch +# RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters +Patch: 0001-Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch +# RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() +Patch: 0001-Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch +# RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) +Patch: 0001-Uniprint-device-prevent-string-configuration-changes.patch +# RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction +Patch: 0001-Bug-707691.patch +# RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f49812186baa7d1 +Patch: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch +# CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=b1f0827c30f59a2 +Patch: 0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch +# RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding +# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b +Patch: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch +# RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec -Patch033: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch -# RHEL-67051 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution +Patch: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch +# RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3 -Patch034: 0001-PostScript-interpreter-fix-buffer-length-check.patch +Patch: 0001-PostScript-interpreter-fix-buffer-length-check.patch +# RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow +# https://github.com/ArtifexSoftware/ghostpdl/commit/57291c846334f1585552010faa42d7cb2cbd5c41 +Patch: 0001-Bug-708133-Avoid-integer-overflow-leading-to-buffer-.patch # Downstream patches -- these should be always included when doing rebase: # ------------------ -Patch100: ghostscript-9.23-100-run-dvipdf-securely.patch - - # Downstream patches for RHEL -- patches that we keep only in RHEL for various # --------------------------- reasons, but are not enabled in Fedora: %if %{defined rhel} || %{defined centos} @@ -192,6 +186,9 @@ Requires: urw-base35-fonts This library provides Ghostscript's core functionality, based on Ghostscript's API, which is useful for many packages that are build on top of Ghostscript. +It also provides an X11-based driver for Ghostscript, which enables displaying +of various document files (including PS and PDF). + # --------------- %package -n libgs-devel @@ -220,8 +217,9 @@ against Ghostscript's library, which provides Ghostscript's core functionality. # executable instead of package. %package tools-dvipdf Summary: Ghostscript's 'dvipdf' utility -Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: /usr/bin/dvips +BuildArch: noarch +Requires: %{name} = %{version}-%{release} +Requires: %{_bindir}/dvips %description tools-dvipdf This package provides the utility 'dvipdf' for converting of TeX DVI files into @@ -231,7 +229,8 @@ PDF files using Ghostscript and dvips. %package tools-fonts Summary: Ghostscript's font utilities -Requires: %{name}%{?_isa} = %{version}-%{release} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} %description tools-fonts This package provides utilities which are useful when you are working with AFM, @@ -241,7 +240,8 @@ PFB or PFA files, mostly for conversion purposes. %package tools-printing Summary: Ghostscript's printing utilities -Requires: %{name}%{?_isa} = %{version}-%{release} +BuildArch: noarch +Requires: %{name} = %{version}-%{release} %description tools-printing This package provides utilities for formatting and printing text files using @@ -262,16 +262,6 @@ of various document files (including PS and PDF). # --------------- -%package x11 -Summary: Ghostscript's X11-based driver for document rendering -Requires: %{name}%{?_isa} = %{version}-%{release} - -%description x11 -This package provides X11-based driver for Ghostscript, which enables displaying -of various document files (including PS and PDF). - -# --------------- - %package doc Summary: Documentation files for Ghostscript Requires: %{name} = %{version}-%{release} @@ -288,16 +278,11 @@ This package provides detailed documentation files for Ghostscript software. %autosetup -N -S git # Libraries that we already have packaged in Fedora (see Build Requirements): -rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib - -# Yeah, not actually needed in Fedora (^_^): -rm -rf windows - +rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* leptonica libpng openjpeg tesseract tiff windows zlib # Add the remaining source code to the initial commit, patch the source code: git add --all --force . git commit --all --amend --no-edit > /dev/null %autopatch -p1 - # --------------- %build @@ -318,17 +303,20 @@ git commit --all --amend --no-edit > /dev/null # ... searches for necessary fonts in these column-separated directories, # not just default ones # +# --without-x +# ... builds gs library without X functionality (previously provided by ghostscript-x11) +# # NOTE: In RHEL we need to keep the /usr/share/ghostscript/conf.d/ folder # for China's GB18030 official certification: + %if %{defined rhel} || %{defined centos} -%configure --enable-dynamic --disable-compile-inits --without-versioned-path \ - --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/:%{_datadir}/fonts" +%configure --without-x --disable-compile-inits --without-versioned-path \ + --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}:%{_datadir}/%{name}/conf.d/" %else -%configure --enable-dynamic --disable-compile-inits --without-versioned-path \ +%configure --disable-compile-inits --without-versioned-path \ --with-fontpath="%{urw_base35_fontpath}:%{google_droid_fontpath}" %endif - -%make_build so +%make_build so %{?flatpak:XCFLAGS=-I%{_includedir} XTRALIBS=-L%{_libdir}} # --------------- @@ -369,7 +357,7 @@ ln -s %{_mandir}/man1/gs.1 %{buildroot}%{_mandir}/man1/ghostscript.1 # process for Ghostscript startup, and they advise using the symlinks where # possible. The fontconfig (Ghostscript's search path) should be used preferably # as a fallback only. -ln -fs %{google_droid_fontpath}/DroidSansFallback.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf +ln -fs %{google_droid_fontpath}/DroidSansFallbackFull.ttf %{buildroot}%{_datadir}/%{name}/Resource/CIDFSubst/DroidSansFallback.ttf for font in $(basename --multiple %{buildroot}%{_datadir}/%{name}/Resource/Font/*); do ln -fs %{urw_base35_fontpath}/${font}.t1 %{buildroot}%{_datadir}/%{name}/Resource/Font/${font} @@ -430,11 +418,6 @@ done %{_mandir}/man1/pdf2* %{_mandir}/man1/ps2* -%lang(de) %{_mandir}/de/man1/gsnd* -%lang(de) %{_mandir}/de/man1/eps2* -%lang(de) %{_mandir}/de/man1/pdf2* -%lang(de) %{_mandir}/de/man1/ps2* - # --------------- %files tools-dvipdf @@ -442,8 +425,6 @@ done %{_mandir}/man1/dvipdf* -%lang(de) %{_mandir}/de/man1/dvipdf* - # --------------- %files tools-fonts @@ -455,8 +436,6 @@ done %{_mandir}/man1/pfbtopfa* %{_mandir}/man1/printafm* -%lang(de) %{_mandir}/de/man1/printafm* - # --------------- %files tools-printing @@ -479,146 +458,271 @@ done # --------------- -%files x11 -%{_libdir}/%{name}/ - -# --------------- - %files doc %doc %{_docdir}/%{name}/ # ============================================================================= %changelog -* Tue Apr 15 2025 Zdenek Dohnal - 9.27-16 -- RHEL-18396 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable() -- RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space -- RHEL-15067 CVE-2020-27792 ghostscript: heap buffer over write vulnerability in GhostScript's lp8000_print_page() in gdevlp8k.c -- RHEL-67051 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding -- RHEL-67051 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript -- RHEL-67051 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution +* Wed May 07 2025 Zdenek Dohnal - 10.02.1-16 +- RHEL-88964 CVE-2025-27832 ghostscript: NPDL device: Compression buffer overflow -* Mon Oct 14 2024 Zdenek Dohnal - 9.27-15 -- fix printing PCL XL on some printers +* Tue Apr 15 2025 Zdenek Dohnal - 10.02.1-15 +- RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space +- RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling +- RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding +- RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript +- RHEL-67050 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution -* Thu Oct 10 2024 Zdenek Dohnal - 9.27-14 -- RHEL-61729 Ghostscript is generating PJL of a significantly larger size +* Tue Oct 29 2024 Troy Dawson - 10.02.1-14 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Wed Jun 12 2024 Zdenek Dohnal - 9.27-13 -- CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library +* Wed Jul 17 2024 Zdenek Dohnal - 10.02.1-13 +- RHEL-46575 CVE-2024-33869 ghostscript: path traversal and command execution due to path reduction -* Tue Sep 19 2023 Richard Lescak - 9.27-12 -- fix to prevent divison by zero in devices -- Resolves: rhbz#2235009 +* Tue Jul 16 2024 Zdenek Dohnal - 10.02.1-12 +- RHEL-46149 CVE-2024-29509 ghostscript: heap buffer overflow via the PDFPassword parameter +- RHEL-46131 CVE-2024-29508 ghostscript: heap pointer leak in pdf_base_font_alloc() +- RHEL-46112 CVE-2024-29507 ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters +- RHEL-46076 CVE-2024-29506 ghostscript: stack-based buffer overflow in the pdfi_apply_filter() +- RHEL-44727 CVE-2024-29510 ghostscript: format string injection leads to shell command execution (SAFER bypass) -* Fri Aug 04 2023 Richard Lescak - 9.27-11 -- fix for CVE-2023-4042 -- Resolves: rhbz#2228153 +* Thu Jul 11 2024 Zdenek Dohnal - 10.02.1-12 +- RHEL-44771 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths -* Fri Aug 04 2023 Richard Lescak - 9.27-10 -- fix for CVE-2023-38559 -- Resolves: rhbz#2224371 +* Mon Jun 24 2024 Troy Dawson - 10.02.1-11 +- Bump release for June 2024 mass rebuild -* Fri May 05 2023 Richard Lescak - 9.27-9 -- fix for CVE-2023-28879 -- Resolves: rhbz#2188297 +* Fri Jun 21 2024 Zdenek Dohnal - 10.02.1-10 +- RHEL-38835 run the package with correct tests -* Fri Mar 17 2023 Richard Lescak - 9.27-8 +* Thu Jun 20 2024 Zdenek Dohnal - 10.02.1-9 +- RHEL-38835 CVE-2024-33871 ghostscript: OPVP device arbitrary code execution via custom Driver library + +* Wed Jan 24 2024 Fedora Release Engineering - 10.02.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Zdenek Dohnal - 10.02.1-7 +- fix rpmlint errors + +* Sat Jan 20 2024 Michael J Gruber - 10.02.1-7 +- fix another FTBFS with GCC 14 + +* Fri Jan 19 2024 Fedora Release Engineering - 10.02.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Jan 09 2024 Zdenek Dohnal - 10.02.1-5 +- fix FTBFS with GCC 14 + +* Tue Nov 07 2023 Michael J Gruber - 10.02.1-4 +- fix txtwrite device and /selectdevice + +* Tue Nov 07 2023 Michael J Gruber - 10.02.1-3 +- revert/adjust spec change for jbig2dec 0.20 and fix FTI (rhbz#2248557) + +* Tue Nov 07 2023 Richard Lescak - 10.02.1-2 +- change jbig2dec requirement to >= 0.19 + +* Mon Nov 06 2023 Richard Lescak - 10.02.1-1 +- rebase to version 10.02.1 (#2238724) + +* Wed Oct 11 2023 Richard Lescak - 10.01.2-4 +- fix for CVE-2023-43115 (#2241112) + +* Mon Aug 07 2023 Richard Lescak - 10.01.2-3 +- fix for CVE-2023-38559 (#2225380) + +* Wed Jul 19 2023 Fedora Release Engineering - 10.01.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Jul 14 2023 Michael J Gruber - 10.01.2-1 +- rebase to bugfix release 10.01.2 (rhbz#2182090) +- fix for CVE-2023-36664 (rhbz#2217806) + +* Thu Apr 06 2023 Richard Lescak - 10.01.0-3 +- fix for CVE-2023-28879 (#2184586) +- add patch for converting default page name to lowercase (#2183166) + +* Mon Apr 03 2023 Richard Lescak - 10.01.0-2 +- set 'a4' as a default in gs_init.ps to fix unrecognized 'Letter' page size (#2183166) + +* Mon Mar 27 2023 Richard Lescak - 10.01.0-1 +- rebase to version 10.01.0 (#2180908) +- ghostscript-x11 removed, X functionality now builds directly into library for Fedora (#2178720) +- German manual pages removed + +* Thu Mar 16 2023 Richard Lescak - 10.0.0-4 - fix embedding of CIDFonts -- Resolves: rhbz#2169890 -* Wed Mar 15 2023 Richard Lescak - 9.27-7 -- fix bbox device calculating bounding box incorrectly -- Resolves: rhbz#2176327 +* Tue Feb 14 2023 Richard Lescak - 10.0.0-3 +- fix gdevcups to not match custom size against PPD -* Thu Feb 02 2023 Richard Lescak - 9.27-6 -- set the page size for A4 correctly in ESC/Page driver -- Resolves: rhbz#2164603 +* Sun Feb 12 2023 Michael J Gruber - 10.0.0-2 +- SPDX migration -* Tue Nov 15 2022 Richard Lescak - 9.27-5 -- fix loading of CIDFonts -- Resolves: rhbz#2118538 +* Mon Jan 23 2023 Richard Lescak - 10.0.0-1 +- rebase to new version 10.0.0 (#2128814) -* Mon Jul 25 2022 Richard Lescak - 9.27-4 -- changed requirement to jbig2dec-libs -- Resolves: rhbz#2097515, rhbz#2097448 +* Thu Oct 27 2022 Richard Lescak - 9.56.1-5 +- fix loading of CIDFonts (#2137856) -* Wed Jul 20 2022 Richard Lescak - 9.27-3 -- fixed drifting text to the right when printing -- added Requirement for jbig2dec -- added patch for CVE-2020-16301 -- Resolves: rhbz#2097515, rhbz#2097448 +* Wed Oct 19 2022 Michael J Gruber - 9.56.1-4 +- fix specifix shading subfunction handling -* Fri Jan 22 2021 Anna Khaitovich - 9.27-2 -- tools-dvipdf: require /usr/bin/dvips not %{_bindir}/dvips -- Resolves: rhbz#1918937 +* Wed Oct 05 2022 Michael J Gruber - 9.56.1-3 +- fix segfaulting X11 devices (rhbz#2125654) -* Tue Sep 01 2020 Anna Khaitovich - 9.27-1 -- Rebase to 9.27 -- Resolves: rhbz#1874523 +* Tue Sep 06 2022 Michael J Gruber - 9.56.1-2 +- fix FitPage with square media (rhbz#2123391) -* Tue Apr 07 2020 Zdenek Dohnal - 9.25-7 -- 1813228 - ghostscript fontconfig support broken when gs used with -dSAFER/-dPARANOIDSAFER +* Mon Aug 01 2022 Richard Lescak - 9.56.1-1 +- Rebase to new gs version 9.56.1 (#2072297) -* Thu Nov 07 2019 Zdenek Dohnal - 9.25-6 -- 1769343 - CVE-2019-14869 - -dSAFER escape in .charkeys +* Thu Jul 21 2022 Fedora Release Engineering - 9.55.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild -* Thu Aug 22 2019 Martin Osvald - 9.25-5 -- Resolves: #1744011 - CVE-2019-14811 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdf_hook_DSC_Creator (701445) -- Resolves: #1744015 - CVE-2019-14812 ghostscript: Safer Mode Bypass by .forceput Exposure in setuserparams (701444) -- Resolves: #1744006 - CVE-2019-14813 ghostscript: Safer Mode Bypass by .forceput Exposure in setsystemparams (701443) -- Resolves: #1744231 - CVE-2019-14817 ghostscript: Safer Mode Bypass by .forceput Exposure in .pdfexectoken and other procedures (701450) +* Fri May 20 2022 Sandro Mani - 9.55.0-4 +- Rebuild for gdal-3.5.0 and/or openjpeg-2.5.0 -* Mon Aug 05 2019 Martin Osvald - 9.25-4 -- Resolves: #1737337 - CVE-2019-10216 ghostscript: -dSAFER escape via .buildfont1 (701394) +* Thu Jan 20 2022 Fedora Release Engineering - 9.55.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Thu Mar 28 2019 Martin Osvald - 9.25-3 -- Resolves: #1692798 - CVE-2019-3839 ghostscript: missing attack vector - protections for CVE-2019-6116 -- Resolves: #1678170 - CVE-2019-3835 ghostscript: superexec operator - is available (700585) -- Resolves: #1691414 - CVE-2019-3838 ghostscript: forceput in DefineResource - is still accessible (700576) -- fix included for ghostscript: Regression: double comment chars - '%%' in gs_init.ps leading to missing metadata -- fix for pdf2dsc regression added to allow fix for CVE-2019-3839 +* Thu Dec 30 2021 Tom Callaway - 9.55.0-2 +- apply fix from upstream bug 704737, preventing asymptote from working properly -* Wed Jan 23 2019 Martin Osvald - 9.25-2 -- Resolves: #1652937 - CVE-2018-19409 ghostscript: Improperly implemented - security check in zsetdevice function in psi/zdevice.c -- Resolves: #1642586 - CVE-2018-18073 ghostscript: saved execution stacks - can leak operator arrays -- Resolves: #1642580 - CVE-2018-17961 ghostscript: saved execution stacks - can leak operator arrays (incomplete fix for CVE-2018-17183) -- Resolves: #1642941 - CVE-2018-18284 ghostscript: 1Policy operator - allows a sandbox protection bypass -- Resolves: #1656336 - CVE-2018-19134 ghostscript: Type confusion in - setpattern (700141) -- Resolves: #1660571 - CVE-2018-19475 ghostscript: access bypass in - psi/zdevice2.c (700153) -- Resolves: #1660830 - CVE-2018-19476 ghostscript: access bypass in - psi/zicc.c -- Resolves: #1661280 - CVE-2018-19477 ghostscript: access bypass in - psi/zfjbig2.c (700168) -- Resolves: #1668891 - CVE-2019-6116 ghostscript: subroutines within - pseudo-operators must themselves be pseudo-operators (700317) +* Mon Oct 11 2021 Richard Lescak - 9.55.0-1 +- Rebase to new gs version (#2008146) -* Mon Sep 24 2018 David Kaspar [Dee'Kej] - 9.25-1 -- rebase to latest upstream version to fix issues discovered in previous CVE fixes (bug #1631701 and #1626997) +* Thu Sep 09 2021 Richard Lescak - 9.54.0-4 +- Added patch for a bug (#1989084) and CVE-2021-3781 (#2003085) -* Fri Sep 07 2018 David Kaspar [Dee'Kej] - 9.24-1 +* Thu Jul 22 2021 Fedora Release Engineering - 9.54.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jun 02 2021 Richard Lescak - 9.54.0-2 +- Added Obsoletes/Provides for old ghostscript-core (#1962993) + +* Fri May 14 2021 Richard Lescak - 9.54.0-1 +- Update to version 9.54.0 (#1944755) + +* Tue Jan 26 2021 Fedora Release Engineering - 9.53.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Dec 22 2020 Michael J Gruber - 9.53.3-4 +- Restore opvp for good (#1909950) + +* Tue Nov 24 2020 Michael J Gruber - 9.53.3-3 +- Restore opvp device (#1899885) + +* Wed Nov 04 2020 Anna Khaitovich - 9.53.3-2 +- Drop use of FT_CALLBACK_DEF() def + +* Thu Oct 08 2020 Fedora Release Monitoring - 9.53.1-3 +- Update to 9.53.3 (#1882743) + +* Tue Sep 22 2020 Anna Khaitovich - 9.53.1-2 +- Bump jbig2dec version + +* Thu Sep 10 2020 Fedora Release Monitoring - 9.53.0-1 +- Update to 9.53.1 (#1877781) + +* Mon Jul 27 2020 Anna Khaitovich - 9.52-8 +- Use libidn2 instead of libidn (fixes #1860890) + +* Thu Jul 02 2020 Michael J Gruber - 9.52-7 +- really require the exact jbig2dec version + +* Sat Jun 27 2020 Peter Robinson - 9.52-6 +- standard packages should not require -devel packages + +* Wed Jun 24 2020 Anna Khaitovich - 9.52-5 +- Require the exact jbig2dec version in both build and runtime dependencies + +* Thu May 21 2020 Anna Khaitovich - 9.52-4 +- Define %%{jbig2dec_version} global macro + +* Wed May 20 2020 Anna Khaitovich - 9.52-3 +- Require the exact jbig2dec version to avoid a mismatch between header files and library + +* Mon May 18 2020 Anna Khaitovich - 9.52-2 +- Require the exact jbig2dec-devel version + +* Thu Apr 02 2020 Zdenek Dohnal - 9.52-1 +- 9.52 + +* Wed Mar 11 2020 Zdenek Dohnal - 9.50-1 +- 9.50 + +* Tue Jan 28 2020 Fedora Release Engineering - 9.27-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Nov 14 2019 Zdenek Dohnal - 9.27-2 +- 1772486 - ghostscript: -dSAFER escape in .charkeys (701841) + +* Fri Sep 06 2019 Martin Osvald - 9.27-1 +- rebase to latest upstream version 9.27 +- security fixes added for: + - CVE-2019-14811 (bug #1747908) + - CVE-2019-14812 (bug #1747907) + - CVE-2019-14813 (bug #1747906) + - CVE-2019-14817 (bug #1747909) + +* Mon Aug 12 2019 Martin Osvald - 9.26-6 +- Fix for CVE-2019-10216 added + +* Thu Jul 25 2019 Fedora Release Engineering - 9.26-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Mar 22 2019 Martin Osvald - 9.26-4 +- Fixes for CVE-2019-3835 and CVE-2019-3838 added + +* Mon Mar 11 2019 Martin Osvald - 9.26-3 +- Fix for bug #1687144 added + +* Fri Mar 08 2019 Martin Osvald - 9.26-2 +- Fix for CVE-2019-6116 added (bug #1668888) + +* Thu Feb 07 2019 Martin Osvald - 9.26-1 +- rebase to latest upstream version 9.26 +- spec change to remove gsdoc.el due to upstream 8bc783cb586 + +* Thu Jan 31 2019 Fedora Release Engineering - 9.25-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Sep 17 2018 David Kaspar [Dee'Kej] - 9.25-1 +- rebase to latest upstream version to fix additional issues found in 9.24 + +* Fri Sep 14 2018 David Kaspar [Dee'Kej] - 9.24-3 +- ghostscript-9.24-002-icc-PermitReading.patch removed +- ghostscript-9.24-002-fix-for-Canon-and-Kyocera-printers.patch added (bug #1626818) +- ghostscript-9.24-003-CVE-2018-16802.patch added (bug #1627960) + +* Fri Sep 07 2018 Tom Callaway - 9.24-2 +- add upstream fix for reading in ICC profiles + +* Wed Sep 05 2018 David Kaspar [Dee'Kej] - 9.24-1 - rebase to latest upstream version, which contains important CVE fixes - additional ZER0-DAY fixes added -* Wed Aug 29 2018 David Kaspar [Dee'Kej] - 9.23-5 +* Wed Aug 29 2018 David Kaspar [Dee'Kej] - 9.23-7 - ghostscript-9.23-002-fixes-for-set-of-CVEs-reported-by-Google.patch added +* Mon Jul 30 2018 David Kaspar [Dee'Kej] - 9.23-6 +- ghostscript-9.23-001-create-GC-descriptors-for-JPEG-passthrough.patch added (bug #1589467) + +* Fri Jul 13 2018 Fedora Release Engineering - 9.23-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Tue May 15 2018 David Kaspar [Dee'Kej] - 9.23-4 - One more rebuild for libidn ABI fix (BZ#'s 1573961 and 1566414) * Mon May 14 2018 David Kaspar [Dee'Kej] - 9.23-3 - %%conflicts_vers bumped to fix F27->F28 upgrade +* Thu May 10 2018 Stephen Gallagher - 9.23-2.1 +- Rebuilding for libidn ABI fix (BZ#'s 1573961 and 1566414) + * Mon Apr 23 2018 David Kaspar [Dee'Kej] - 9.23-2 - Fix for CVE-2018-10194 added (bug #1569821) diff --git a/sources b/sources new file mode 100644 index 0000000..b4c0aaf --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (ghostscript-10.02.1.tar.xz) = ee0f754c1bd8a18428ad14eaa3ead80ff8b96275af5012e7a8384f1f10490da056eec9ae3cc791a7a13a24e16e54df5bccdd109c7d53a14534bbd7360a300b11